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SMARTER  TECHNOLOGY  FOR  A  SMARTER  PLANET 


FROM  DETAILS  TO  DESIRES: 


Companies  aren’t  short  on 
data.  In  fact,  with  the  average 
large  business  storing  more 
than  200  terabytes,  companies 
have  more  than  enough  data  to 
tell  them  who  is  buying  their 
product,  as  well  as  how,  when 
and  where  the  buying  happens. 

DATA’S  NEW  VOICE. 

Today,  however,  customers 
expect  a  company  to  know  why 
they’re  buying.  Or  why  they 
aren’t.  Because  when  a  company 
knows  what  motivates  customers, 
it  can  serve  them  better. 


The  good  news  is  such  data 
exists,  just  not  in  the  columns, 
rows,  reports  and  purchase 
histories  we’re  used  to.  It’s  called 
big  data,  and  it  comes  from 
tweets,  videos,  clickstreams  and 
other  unstructured  sources. 
It’s  the  data  of  desire.  And 
today,  we  have  the  technology 
and  tools  to  make  sense  of  it. 


So  now,  instead  of  learning 
which  customers  it  has  lost, 
a  company  can  learn  which 
customers  it  might  lose  and 
present  timely  offers  or 
products  motivating  those 
customers  to  stay.  Using  IBM 
Smarter  Analytics  to  identify 
which  customers  were  most 
likely  to  switch  to  another 


“For  the  first  time, 
we  can  decide  which 
promotions  to  run 
based  on  facts  rather 
than  gut  feel.” 

Patrick  Neeley 

Chief  Business 
Officer,  Chickasaw 
Nation  Division 

of  Commerce  ■''I’VylK 
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THE  POWER  OF  BIG  DATA. 


With  IBM  Smarter  Analytics,  . 

companies  are  gathering  big  LET’S  BUILD  A 
data  and  using  it  to  ask  and  SMARTER  PLANET, 
answer — smarter  questions  about 
what  their  customers  really  want. 

ibm.com/usingbigdata  v  I  /  — —  .  . 
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security  projects 
that  have  delivered 
outstanding 
business  value 
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Value  Statement 

Security  in  an  organizational  setting  boils  down  to  two  very 


different  tasks. 

Task  one  is  to  craft  defenses-controls  that 
detect  and  stop  unwanted  intrusion  of  all  sorts. 
These  controls  have  technical  aspects,  and 
process  aspects,  and  human  aspects.  So  this 
by  itself  is  a  huge  and  varied  task.  And  damned 
interesting  too.  This  is  why  people  go  into  the 
security  field-to  meet  these  interesting  and 
ever-evolving  defensive  challenges. 

Task  two  is  to  measure  and  communicate  the 
value  of  those  defenses. 

That’s  a  huge  and  varied  task  as  well,  but 
fundamentally  different  from  the  first  task. 
Some  people  find  this  second  task  interest¬ 
ing.  Other  people  find  it  incredibly  tedious,  or 
contend  that  it’s  impossible  to  calibrate  with 
any  precision  at  all.  I  dare  say  none  of  these 
people-as  in,  not  one  single  person  in  the  secu¬ 
rity  profession,  whether  they  like  or  loathe  task 
two — originally  got  into  the  field  because  of 
their  interest  in  measuring  the  value  of  security. 
Some  few,  bless  them,  have  gravitated  in  that 
direction  and  chosen  to  make  it  a  focus.  But  no¬ 
body  started  there. 

However,  the  job  is  inevitable  because  it’s 
part  of  the  nature  of  organizations-certainly 
for-profit  ones,  at  least-to  demand  measure¬ 
ment  and  communication  of  value.  If  you  read 
human  resources  publications,  they  are  talking 
about  how  to  position  HR  as  more  strategic  and 
how  to  communicate  its  value.  Same  with  jour¬ 
nalism.  And  soon. 

So  security  leaders  better  get  good  at  mea¬ 


suring  the  value  of  their  work. 

That’s  why  it's  a  pleasure  to  announce  the 
recipients  of  our  inaugural  CS040  awards,  and 
to  offer  them  up  as  examples  to  learn  from  and 
emulate.  We  created  this  award  to  recognize 
and  foster  progress  on  task  two.  I  hope  you  will 
look  carefully  at  their  projects  and  statements 
of  value,  and  that  you  find  ideas  that  will  help 
you  in  your  own  work. 

*** 

On  a  personal  note,  this  is  my  final  issue  as 
CSO's  editor  in  chief.  I’d  like  to  extend  my  most 
sincere  thanks  to  all  of  you  for  sharing  your  ex¬ 
pertise,  and  my  best  wishes  for  the  future.  For 
me  this  has  been  an  unforgettable  and  wonder¬ 
ful  ride. 

-Derek  Slater,  Editor  in  Chief 
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Tim  Llewellyn 


Avigilon  spotted  a  man  in  this 


who  was  caught 


and  identified  by  his 


Meanwhile,  analog  identified 


Only  our  high-definition  surveillance  solutions  give  you  the  full  story. 

Identify  incidents  quickly  and  enhance  response  times  with  the  superior 
image  detail  of  an  Avigilon  end-to-end  system.  See  how  Avigilon  can 
help  your  organization  at  avigilon.com/casestudies 


aviGiLon 

THE  BEST  EVIDENCE" 


The  top  three  images  were  shot  with  an  Avigilon  29  MP  HD  Pro  camera.  The  fourth  image  was  shot  with  an  analog  camera. 


Can  We  Please  Get  an  Accurate  Picture? 

Last  month  I  examined  the  substance  of  President  Obama’s 
just-released  executive  order  on  cybersecurity.  As  I  spent  more 
time  with  it,  I  got  to  thinking  about  all  the  other  cybersecurity  ini¬ 
tiatives  that  are  floating  around 
Washington,  DC.  But  one  in  par¬ 
ticular  has  caught  my  attention. 


In  the  past  few  years,  not  many  people  have 
had  a  greater  direct  impact  on  cybersecurity 
than  Sen.  Jay  Rockefeller  (D-WV),  who  has 
been  publishing  relevant  initiatives  and  who 
chairs  the  Senate  Committee  on  Commerce, 
Science  and  Transportation.  As  a  champion  of 
the  failed  Cybersecurity  Act  of  2012,  the  sena¬ 
tor  has  taken  a  keen  interest  in  addressing  the 
cyber  deficiencies  in  our  critical  infrastructure. 

In  September  2012,  Rockefeller  sent  let¬ 
ters  to  the  CEOs  of  the  500  largest  companies 
in  the  United  States  requesting  “information 
related  to  each  company’s  views  on  cyberse¬ 
curity  and  the  Cybersecurity  Act  of  2012.”  The 
letter  included  eight  specific  questions  about 
cybersecurity  best  practices,  their  development, 
implementation  and  oversight;  the  company’s 
views  on  the  Cybersecurity  Act  of  2012;  and  the 
role  of  government  in  addressing  cybersecu¬ 
rity.  Three  hundred  companies  responded  to 
this  letter. 

Some  companies  responded  because  they 
had  business  pending  before,  or  affected  by,  the 
Senate,  some  answered  the  letter  without  really 
answering  it,  and  some  ignored  the  letter  alto¬ 
gether.  Most  security  leaders  I  have  spoken  with 
at  these  companies  had  concerns  about  sharing 
operational  information  in  a  political  environ¬ 
ment  without  safeguards  that  would  protect 
against  its  disclosure. 

I  have  since  spent  some  time  reading  the 


Advertiser  Index 


January  28th  summary  of  responses  supplied  by 
the  majority  staff  from  the  aforementioned  Sen¬ 
ate  committee.  While  this  memorandum  takes 
the  responses  at  face  value,  it  fails  to  understand 
that  data  like  this,  collected  under  these  circum¬ 
stances,  should  be  considered  suspect  at  best. 

It’s  important  that  we  understand  exactly 
what  businesses  think  about  these  issues.  In  the 
future,  I’d  urge  all  those  invested  in  cybersecurity 
legislation  to  employ  a  better  methodology  so 
that  we  can  get  a  clear  and  accurate  picture  of 
what  the  issues  really  are. 

This  is  especially  true  as  the  government 
moves  to  implement  measures  of  the  president’s 
executive  order  on  cybersecurity.  Without  a  clear 
picture  of  the  issues,  we  will  likely  end  up  head¬ 
ing  down  the  wrong  road. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 
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WHO  S  GOT  THEIR 
HANDS  ON  YOUR  DATA? 

WANT  TO  SEE  HOW  YOUR  DEFENSES  ARE  BYPASSED? 


TRADITIONAL 
SECURITY  NO 
LONGER  SECURES 


There’s  a  town  in 
Romania  known  as 
Hackerville.  It’s  where 
criminals  turn  data  into 
expensive  sports  cars. 
This  isn’t  just  credit  card 
fraud,  this  is  monetizing 
intellectual  property 
swiped  from  companies 
who  thought  they  were 
protected. 

We  know  where  the 
bad  guys  lurk.  Not  just 
in  Hackerville,  but  also 
in  your  network’s  blind 
spots.  Put  us  to  the  test. 


TRITON  STOPS  MORE  THREATS.  WE  CAN  PROVE  IT. 
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Apple’s  App  Store  Lacked 
Encryption  Protection  for  Months 

Researchers  say  oversight  left  users  vulnerable  to  cyber  crooks  by  john  p.  mello  jr. 


APPLE'S  APP  STORE  OPERATED  FOR 
months  without  the  protection  of  SSL  encryp¬ 
tion,  according  to  researchers. 

Apple  says  it  fixed  the  problem  in  January, 
but  the  researchers  who  discovered  the  flaw 
didn’t  write  about  it  until  March. 

“I  am  really  happy  that  my  spare-time 
work  pushed  Apple  to  finally  enable  HTTPS 
to  protect  users,”  Elie  Bursztein,  who  works  for 
Google,  wrote  in  a  post  on  his  personal  blog. 


Bursztein,  along  with  Bernhard  “Bruhns" 
Brehm  of  Recurity  Labs  and  Rahul  Iyer  of  Bejoi 
found  out  in  July  2012  that  communications 
between  Apple’s  App  Store  and  consumers 
using  the  store  were  unencrypted.  That  defi¬ 
ciency  opened  up  users  to  several  kinds  of  at¬ 
tack  on  public  networks,  like  those  found  in  an 
airport  or  coffee  shop,  according  to  Bursztein. 

The  potential  attacks  include: 

Password  theft.  When  a  user  logs  in  to 


the  App  Store,  an  attacker  could  slip  a  phony 
password  request  screen  into  the  process, 
effectively  prompting  the  user  to  hand  over 
their  password.  "That  Apple  ID  controls  your 
credit  card  for  buying  music  and  apps;  it  con¬ 
trols  all  your  backups  with  all  your  contacts," 
says  Chet  Wisniewski,  a  security  adviser  with 
software  maker  Sophos.  “That’s  pretty  sensi¬ 
tive  stuff.  The  Apple  ID  is  similar  to  Facebook 
and  Google— once  it’s  hacked,  it  cracks  open 
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the  walnut  of  your  entire  digital  life." 

App  swapping.  A  user  could  be  duped  into 
installing  an  attacker’s  app  when  they  think 
they’re  installing  legitimate  software.  An  app 
that  costs  money  can  be  substituted  for  a  free 
app,  too. 

Fake  upgrades.  Cyber  thieves  could  trick  a 
user  into  installing  something  other  than  the 
app  upgrade  they  think  they’re  getting. 

Installation  prevention.  This  would 
prevent  an  app  from  being  installed  on  a 
machine  by  removing  it  from  the  store  or  by 
tricking  the  device  into  thinking  the  app  has 
already  been  installed. 

App  spying.  The  App  Store’s  update 
mechanism  could  be  tapped  and  all  the  ap¬ 
plications  installed  on  a  user’s  device  could  be 
viewed  by  a  cyber  peeper. 

With  App  Store  communications  vulner¬ 
able  for  so  long,  it’s  a  wonder  that  a  signifi¬ 
cant  attack  didn’t  take  place,  says  HD  Moore, 
CSO  of  Rapid! 

“I've  seen  the  hacker  community  talking 
about  this  and  demonstrate  different  tech¬ 
niques,”  he  says,  “but  it  is  surprising  that  there 
hasn't  been  any  more  wide-scale  attacks.” 

A  limiting  factor,  he  explained,  is  that  for 
these  attacks  to  work,  hackers  have  to  be  in 
the  same  physical  area  as  their  target— either 
in  the  same  local  segment  or  logged  on  to  the 
same  wireless  network. 

The  security  breakdown  could  encourage 
mobile  app  makers  to  take  another  look  at 
their  wares,  Moore  says.  “On  mobile  devices, 
a  lot  of  folks  can’t  tell  if  SSL  is  on  in  the  back¬ 
ground.  With  desktops  and  laptops,  users 
have  been  well-trained  to  look  for  that  SSL 
lock  icon  in  the  corner.” 

The  incident  could  also  grab  the  attention 
of  security  pros  at  online  retailers,  says  Jamz 
Yaneza,  threat  research  manager  at  Trend 
Micro. 

"I  think  it's  a  wake-up  call  for  online  retail¬ 
ers  who  outsource  development  of  apps,”  he 
says.  “When  they  do  that,  they  should  make 
sure  those  apps  use  all  the  encryption  that’s 
required.  With  all  the  breaches  we’re  been 
hearing  about  in  the  past  few  weeks,  now  is 
the  time  for  them  to  take  a  close  look  at  how 
they’re  securing  customer  data.” 


New  Zealand  Businesses  Secretly 
Prepare  for  Cyberattacks 


A  GROUP  OF  NEW  ZEALAND  ORGANIZATIONS  RESPONSIBLE  FOR 
critical  infrastructure  have  established  voluntary  standards  for  securing  such  sys¬ 
tems  against  digital  attack. 

The  New  Zealand  Cyber  Security  Voluntary  Standards  for  Industrial  Control  Sys¬ 
tems  were  devised  with  the  support  of  the  National  Cyber  Security  Centre  (NCSC). 

Their  originators  are  keeping  quiet  about  the  details  of  the  standards  and  the 
identity  of  members  of  the  group  because  it  might  set  them  up  as  a  target  for  at¬ 
tackers.  They  will  not  even  say  how  many  organizations  are  in  the  group. 

A  statement,  released  through  the  NCSC,  says  the  standards  group  “is  for  compa¬ 
nies  in  the  critical  national  infrastructure  that  are  dependent  on  SCADA  (super¬ 
visory  control  and  data  acquisition)  or  other  industrial  control,  process  control  or 
telemetry  systems.  Members  share  confidentially  mutually  beneficial  information 
regarding  electronic  security  threats,  vulnerabilities,  incidents  and  solutions.” 

So  far,  the  one  member  of  the  coalition  that  is  willing  to  identify  itself  is  Genesis 
Energy,  a  state-owned  supplier  of  electricity,  natural  gas  and  propane.  Company 
spokesman  Mike  Judge  says,  “This  work  has  allowed  us  to  safely  discuss  cyberse¬ 
curity  issues  and  work  together  with  industry  to  develop  best  practices  and  share 
information.” 

“The  participants  in  this  group  are  well  placed  to  provide  or  endorse  security 
guidance  to  the  New  Zealand  utility  industry,”  Judge  adds.  “Risks  will  vary,  but  this 
standard  we  have  developed  is  a  practical  compilation  of  best  practice  and  guid¬ 
ance  for  establishing  a  secure  control  system. 

“The  aim  is  to  minimise  the  threat  from  unauthorized  or  inappropriate  access, 
and  also  to  maintain  access  and  control  during  adverse  conditions. 

“These  voluntary  standards  will  be  applicable  for  a  range  of  New  Zealand  indus¬ 
tries,  including  electricity,  oil  and  gas,  water,  transport,  chemical,  pharmaceutical, 
food  and  beverage,  and  manufacturing,”  Judge  says.  -Stephen  Bell 
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Bill  Brenner,  managing  editor 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/blog/cso 


SALTED  HASH 


Violet  Blue’s  Sex-Ed  Talk  Never  Should 
Have  Been  on  the  B-Sides  Agenda 


SECURITY  B-SIDES  SAN  FRAN- 
cisco  (BSidesSF)  ended  on  an  un¬ 
settled  note  in  late  February,  after  a 
complaint  led  to  a  canceled  talk.  A  lot 
of  people  were  upset  that  a  talk  would 
be  canceled  after  criticism  from  just 
one  person.  The  talk  was  to  be  deliv¬ 
ered  by  Violet  Blue. 

For  those  who  don’t  know,  Violet 
Blue  is  a  writer  and  podcaster  special¬ 
izing  in  sex  education.  I  don’t  know  Vio¬ 
let,  though  I  do  respect  her  for  tackling 
taboo  subjects  and  putting  herself  out 
there.  I  was  surprised  to  see  her  talk  on 
the  BSidesSF  agenda  because  it  had 
nothing  to  do  with  security. 

Her  talk  was  described  this  way: 

“What  drugs  do  to  sexual  perfor¬ 
mance,  physiological  reaction  and 
pleasure  is  rarely  discussed  in-or  out 
of-clinical  or  academic  settings.  Yet 
most  people  have  sex  under  the  influ¬ 
ence  of  something  (or  many  some¬ 
things)  at  some  point  in  their  lives.  In  this 
underground  talk,  Violet  Blue  shares  what 
sex-positive  doctors,  nurses,  [marriage  and 
family  therapists],  clinic  workers  and  crisis 
counselors  have  learned  and  compiled  about 
the  interactions  of  drugs  and  sex  from  over 
three  decades  of  unofficial  curriculum  for  use 
in  peer-to-peer  (and  emergency)  counseling. 
Whether  you’re  curious  about  the  effects  of 
caffeine  or  street  drugs  on  sex,  or  are  the  kind 
of  person  that  keeps  your  fuzzy  handcuffs 
next  to  a  copy  of  The  Pocket  Pharmacopeia, 
this  overview  will  help  you  engineer  your  sex 
life  in  our  chemical  soaked  world.  Or,  it’ll  at 
least  give  you  great  party  conversation  fodder.’ 

Someone  apparently  complained  loudly. 

As  a  result,  Blue  canceled  her  talk.  Here's  the 
message  that  appeared  on  the  BSidesSF  site 
that  evening: 


“I  just  want  to  do  a  quick  recap  of  whats 
been  said  on  twitter  about  the  situation.  I  was 
approached  by  @vaurora  (@adainitiative) 
about  the  inappropriate  and  alienating  na¬ 
ture  of  @violetblue’s  talk  that  was  scheduled 
at  BSides  SF.  After  listening  to  @vaurora’s 
concerns,  I  brought  them  up  with  @violetblue 
and  she  graciously  offered  to  not  speak  in  the 
interest  of  mitigating  any  unnecessary  drama 
and  ill-will  towards  BSides  SF.  I  then  made 
the  call  to  cancel  the  talk.  I  understand  this 
is  a  very  polarizing  decision  and  many  of  you 
may  be  upset,  for  which  1  apologize.  As  an  or¬ 
ganizer  of  a  conference,  the  last  thing  I  want 
is  to  accept  a  talk  only  to  later  have  it  pulled. 
Given  the  situation  at  that  time,  it  seemed 
like  the  correct  call  to  make." 

The  organizers  never  should  have  put  her 
on  the  agenda  in  the  first  place. 


As  I  said,  I  have  no  issues  with  Violet  Blue 
and  her  chosen  topics.  But  this  talk  was  billed 
as  the  stuff  of  “party  conversation  fodder.” 

I’m  all  for  having  fun,  but  I’m  also  a  purist  in 
that  I  believe  a  security  event  should  have  an 
agenda  that  stays  on  topic. 

I  recently  wrote  a  post  defending  BSidesSF 
after  someone  suggested  it  was  time  for  the 
event  to  “grow  up.”  I  argued  that  it's  healthy 
to  have  events  as  different  as  B-Sides  and 
RSA  in  the  same  week,  that  there’s  a  useful 
balance  to  the  whole  thing. 

That  doesn’t  mean  I  support  every  decision 
organizers  make.  In  this  case,  their  blunder 
was  big. 

My  advice  for  the  future:  If  you’re  going  to 
put  on  a  security  event,  make  sure  the  talks 
fit  the  topic.  If  you  add  sex  for  entertainment 
value,  you’re  doing  it  wrong. 


8  wwu>. csoonline.com  APRIL  2013 


iStockphoto 


April  2013  www.csoonhne.com 


downloaded  directly  from  web¬ 
sites,  not  software  that  exploits 
vulnerabilities,  Myers  says. 

“It’s  looking  for  something 
that’s  trying  to  go  in  the  front 
door,”  he  explains.  “If  something 
is  punching  in  the  windows,  then 
it’s  not  going  to  see  that.” 

Intego  believes  three  or  four 
developer-focused  websites 
were  used  to  distribute  the  mal¬ 
ware.  The  only  site  identified  so 
far  was  iPhoneDevSDK.com. 

The  vendor  could  not  confirm 
reports  that  computers  belong¬ 
ing  to  companies  outside  the 
tech  industry,  such  as  candy 
makers,  auto  manufacturers 
and  U.S.  government  agencies, 
were  also  infected.  “There’s  a 
lot  of  rumors  right  now  and  very 
little  specific  information  that’s 
been  verified,”  Myers  says. 

Apple,  Facebook,  Microsoft 
and  Twitter  have  acknowledged 
that  they  have  found  the  Trojan 
in  employee  computers,  but  the 
companies  have  shared  little 
else  with  outside  security  firms. 

“It’s  kind  of  a  shock  to  all  of 
us  that  there  still  has  not  been 
very  much  information  from 
them  as  to  what  exactly  hap¬ 
pened,”  Myers  says.  “We’re  kind 
of  piecing  together  from  their 
really  spotty  reports  about 
what  transpired.” 

Overall,  the  number  of  infec¬ 
tions  was  small,  and  Intego 
says  the  malware  is  probably 
not  threat  to  most  home  PC  or 
Mac  users. 

The  malware  is  no  longer 
active,  since  calls  made  to  its 
command-and-control  server 
are  rerouted  to  a  computer 
set  up  by  one  of  the  com¬ 
panies  that  had  its  systems 
compromised. 

—Antone  Gonsalves 


Cross-Platform  Malware  That  Hit  Tech 
Giants  Looked  for  Specific  Targets 


THE  CREATORS  OF  THE 
cross-platform  malware  that 
infected  employee  comput¬ 
ers  at  Apple,  Facebook,  Twitter 
and  Microsoft  appeared  to  look 
for  specific  targets  among  the 
visitors  to  several  compromised 
websites  used  to  distribute  the 
Trojan. 

First  reported  on  in  February, 
the  malware  infected  Windows 
and  Mac  computers  through  a 
previously  unknown  vulnerabil¬ 
ity  in  the  Java  browser  plug-in. 
The  Trojan  was  distributed 
through  three  or  four  developer 
sites,  including  one  for  Apple 
iOS  and  another  for  Android. 


The  malware  did  not  infect 
all  visiting  computers,  which 
indicates  that  the  creators 
had  the  app  look  for  particular 
targets,  says  Lysa  Myers,  senior 
security  analysis  for  Mac  antivi¬ 
rus  vendor  Intego.  The  company 
had  not  determined  what  crite¬ 
ria  the  malware  used  to  decide 
which  computers  to  infect. 

Because  the  malware  is  se¬ 
lective,  security  experts  have 
so  far  had  difficulty  reproduc¬ 
ing  the  infection  to  see  how  the 
Trojan  works. 

“It  may  have  been  they’re 
only  targeting  specific  domains 
or  it  may  be  some  other  limit¬ 


ing  factor  that’s  keeping  people 
from  being  infected,  which 
makes  it  hard  to  research  and 
find  out  exactly  what’s  going 
on,”  Myers  says. 

The  Mac  Trojan  contained 
in  the  malware  is  called 
Pintsized.A,  which  easily  by¬ 
passed  Apple  Gatekeeper,  a 
feature  in  OS  X  that  lets  users 
decide  to  run  only  software  ap¬ 
proved  by  Apple.  Because  the 
malware  was  installed  through 
the  Java  plug-in,  there  was  no 
way  Gatekeeper  would  have 
seen  its  execution. 

Gatekeeper  is  aimed  at 
catching  dangerous  software 


Fighting  Fraud  and  Corruption 

Unsuspecting  companies  can  land  in  hot  water  when  people  they  contract  with 
launder  money,  issue  bribes,  or  worse  by  david  geer 


CSO  SPOKE  WITH  SCOTT  MORITZ  TO 
find  out  where  today's  global  enterprises  are 
drawing  the  line  between  themselves  and  the 
shady  underworld  of  illicit  financial  dealings. 
Moritz  recently  signed  on  as  anti-corruption 
and  investigative  strategist  with  Protiviti,  and 
he  previously  worked  at  KPMG  and  the  FBI. 

CSO:  Fraud  is  old;  what’s  new  about  it 
today?  What  trends  are  you  observing? 

Scott  Moritz:  It  used  to  be  that  geography 
and  the  number  of  people  they  could  engage 


in  a  day  constrained  fraudsters.  Enabling 
technologies  such  as  the  Internet  and  mobile 
devices  have  removed  those  constraints. 

Geography,  reach  and  conflicts  in  the  law 
still  constrain  those  who  must  investigate 
fraud  practitioners.  The  laws  have  simply  not 
caught  up  with  the  advances  in  technology. 

How  does  money  laundering  evolve, 
from  the  standpoint  of  corporate  con¬ 
trols  or  culture? 

The  dollar  figures  involved  and  the  chal¬ 


lenges  to  thwarting  money  laundering  are  sig¬ 
nificant.  By  some  estimates  from  the  United 
Nations  and  the  World  Bank,  fraudsters 
launder  between  $590  billion  and  $1.6  trillion 
every  year.  The  vast  majority  of  that  is  going 
to  go  through  the  world’s  financial  institu¬ 
tions.  The  challenge  is  to  make  your  institu¬ 
tion  less  attractive  than  your  competitors’. 

Money  launderers  use  a  lot  of  the  same 
advisers  and  approaches  that  high-net-worth 
individuals  use  to  execute  and  deliver  on  a  tax 
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Twice  the  virtualization. 

Lower  management  costs. 

None  of  the  compromises. 

You’ve  been  looking  for  IT  solutions  that  meet  the  increasingly  sophisticated  demands 
on  your  infrastructure.  IBM  Flex  System,™  featuring  Intel®  Xeon®  processors,  provides 
simplicity,  flexibility  and  control  in  a  system  that  doesn’t  require  compromise. 

It  supports  up  to  twice  the  number  of  virtual  machines  as  the  previous  generation  of 
blade  servers.1  And  IBM  Flex  System  Manager™  can  help  reduce  management  costs 
by  providing  visibility  and  control  of  all  physical  and  virtual  assets  from  a  single  vantage 
point.2 

You  can  select  individual  elements  and  integrate  them  yourself  or  with  the  support 
of  an  IBM  Business  Partner.  Or  you  can  choose  an  IBM  PureFlex™  System  and 
leverage  IBM’s  expert  integration  for  an  even  simpler  experience.  Learn  more  at 
i  b  m  .co  m/syste  ms/no_com  p  rom  i  se 


Learn  why  Clabby  Analytics  says  IBM  Flex  System  is  the  best  blade  offering  in  the 
market.  Download  the  paper  at  ibm.com/systems/no_compromise 


1  Based  on  IBM  testing  and  documented  in  IBM  System  x®  Virtualization  Server  Consolidation  sizing  methodology.  IBM  Flex  System  x240  supports  Z7X  more  Peak  Utilization  Virtual  Machines  (VMs)  than 
previous  generation  BladeCenter®  HS22V. 

2  Based  on  IDC  white  paper  “The  Economics  of  Virtualization:  Moving  Toward  an  Application-Based  Cost  Model,"  Michelle  Bailey,  November  2009,  http://www.vmware.com/files/pdf/Virtualization-application- 
based-cost-model-WP-EN.pdf 

Optional  IBM  Flex  System  storage  node  available  fourth  quarter  2012. 

IBM,  the  IBM  logo,  System  x,  BladeCenter,  PureFlex,  IBM  Flex  System  Manager  and  IBM  Flex  System  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation,  registered  in  many 
jurisdictions  worldwide.  Other  product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  For  a  current  list  of  IBM  trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo, 
Xeon,  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and/or  other  countries.  ©International  Business  Machines  Corporation  2013.  All  rights  reserved. 
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strategy,  including  lawyers,  accountants  and 
offshore  vehicles. 

Financial  institutions  have  some  outstand¬ 
ing  technologies  at  their  disposal  that  can 
help  find  those  needles  in  haystacks,  but  in 
order  for  them  to  be  really  effective,  these 
technologies  have  to  align  with  the  institu¬ 
tion.  These  applications  have  canned  rules 
and  protocols  based  on  known  money-laun¬ 
dering  topologies,  and  one  size  does  not  fit  all. 
Every  institution  is  different.  It  is  important  to 
apply  those  differences  and  integrate  them 
into  the  detection  system.  Absent  that,  if  you 
just  set  up  a  $20  million  transaction-monitor¬ 
ing  system  and  wait  for  it  to  spit  out  excep¬ 
tions,  you  are  going  to  fail. 

Speaking  of  controls,  how  good  and 
how  useful  are  connections  between 
fraud-prevention  departments  and  infor¬ 
mation  security  and  IT?  Can  companies 
use  network  behavior  monitoring  to  help 
prevent  internal  fraud  (as  opposed  to 
just  using  it  in  after-the-fact  forensics)? 

I  think  that  they  can.  But  in  order  for  them 
to  be  effective,  you  have  to  set  up  a  system 
that  spans  the  company  and  looks  at  every 
possible  point  of  entry  where  fraud  can  occur. 
IT,  compliance  and  antifraud  practitioners 
have  to  work  in  lockstep. 

When  you  go  into  an  organization  and  try 
to  understand  where  the  vulnerabilities  exist, 
they  exist  wherever  there  are  human  beings 
interacting  internally  or  externally  with  other 
parties. 

Then  it  is  a  matter  of  prioritizing  where  the 
institution  is  susceptible,  what  type  of  behav¬ 
iors  are  most  likely  to  cause  a  problem  and 
what  systems  are  touched  by  those  negative 
behaviors.  The  organization  must  build  trip¬ 
wires  to  detect  what  is  happening  and  help 
the  enterprise  take  appropriate  action  to  limit 
the  damage. 

What  about  ERP  software  and  other 
off-the-shelf  financial  software— how 
good  are  the  built-in  antifraud  controls? 
What  could  they  do  better? 

I  think  there  is  some  really  good  ERP  soft¬ 
ware  out  there.  It  is  a  question  of  integrating 
the  ERP  systems.  I  think  some  of  the  systems 
are  constrained,  and  there  are  very  few  com¬ 


panies  that  are  running  a  single  ERP  system. 
There  may  be  hundreds  of  ERP  systems  in 
place  in  a  global  organization. 

So  the  first  question  or  challenge  is:  What 
are  these  ERP  systems,  on  what  different 


-SCOTT  MORITZ 

system  architectures  are  they  running,  and 
how  can  you  utilize  fraud  detection  across 
the  enterprise  in  a  way  that  is  not  going  to 
be  constrained  by  these  disparate  systems? 
There  are  some  great  off-the-shelf  systems, 
but  again,  leaders  have  to  tune  these  systems 
to  the  organization. 

And  there  has  to  be  a  bit  of  a  leveling. 
These  systems  are  a  lot  like  a  new  metal  de¬ 
tector  in  an  airport.  If  it  is  too  sensitive,  there 
will  be  some  incredibly  long  lines  because  it  is 
flagging  everyone. 

The  same  is  true  when  using  antifraud  sys¬ 
tems:  You  have  to  strike  that  balance  and  do 
some  qualitative  analysis  of  the  output.  Ask 
how  many  of  these  red  flags  result  in  some¬ 
thing  that  is  actionable. 

How  well  are  companies  dealing  with 
requirements  such  as  the  Foreign  Corrupt 
Practices  Act  (FCPA),  and  anti-bribery 
and  anticorruption  measures? 

Anticorruption’s  use  of  technology,  which  is 
critically  important,  is  still  in  its  infancy.  There 
are  some  really  good  anticorruption  programs 
out  there,  but  organizations  are  not  deploying 
a  huge  amount  of  enterprisewide  software  to 
manage  anticorruption. 

Some  leading  companies  are  taking  an 
enterprise  approach,  centering  on  the  biggest 
area  of  risk.  If  you  look  at  prosecutions  under 
the  FCPA,  that  area  is  the  third  parties  with 
whom  and  through  whom  global  enterprises 
do  business.  In  upwards  of  85  percent  of  the 
prosecutions  over  the  last  seven  years,  one 
or  more  of  the  third  parties  the  company  en¬ 
gaged  to  represent  it  in  the  marketplace  paid 


the  bribes;  the  employees  of  the  company  did 
not  pay  them. 

Flow  do  you  decide  which  of  the  third  par¬ 
ties  to  focus  on?  Well,  people  are  using  sys¬ 
tems  to  apply  objective,  risk-oriented  criteria 


to  those  prospective  and  existing  commer¬ 
cial  relationships,  grouping  them  by  risk  by 
country,  degree  of  corruption,  and  the  primary 
relationship  that  defines  how  parties  are  in¬ 
teracting,  such  as  sales  agent,  distributor  or 
freight  forwarder. 

There  are  also  the  mode  and  volume  of  in¬ 
teraction  and  the  payment  terms.  If  the  third 
party  is  a  sales  agent,  is  the  commission  2  per¬ 
cent  or  25  percent?  The  greater  the  commis¬ 
sion,  the  greater  the  risk  that  relationship  will 
generate  illicit  monies.  And  of  course  there  is 
the  order  of  magnitude  of  the  relationship.  Is 
it  a  very  small  relationship  or  are  they  trans¬ 
acting  tens  of  millions  of  dollars? 

You  have  to  ask  whether  foreign  officials  or 
governments  own  or  partially  own  any  of  the 
third  parties.  Are  they  engaging  directly  with 
government  agencies  trying  to  influence  them 
on  an  enterprise’s  behalf?  Are  the  enterprise’s 
customers  government  agencies  or  state- 
owned?  At  the  center  of  an  anticorruption 
program  there  needs  to  be  some  means  of  as¬ 
signing  risk  levels  to  those  third  parties. 

A  lot  of  companies  still  struggle  with  the 
answer  to  a  question  that  the  Securities  and 
Exchange  Commission  (SEC)  frequently  asks, 
which  is:  Who  amongst  your  customer  base 
are  state-owned  enterprises,  how  do  you  di¬ 
vine  that  and  what  steps  do  you  take  to  miti¬ 
gate  the  risk  when  dealing  with  state-owned 
enterprises?  The  SEC  asks  that  question  a  lot, 
but  usually  after  the  fact.  If  you  do  not  have  a 
really  good  answer  ready,  you  are  in  for  a  long 
and  torturous  process  with  the  SEC  and  the 
Department  of  Justice. 


“These  systems  are  a  lot  like  a  new  metal 
detector  in  an  airport.  If  it  is  too  sensitive, 
there  will  be  some  incredibly  long  lines 
because  it  is  flagging  everyone.” 
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Security  Mentors 


Do  you  need  one?  (Yes.)  Should  you  be  one?  (Yes.)  How  do  you  get  one?  (Very  carefully.) 

BY  LAUREN  GIBBONS  PAUL 


IT’S  HARD  TO  IMAGINE  ANYONE 
being  against  mentoring.  After  all,  having  a 
close  adviser  guiding  you  up  the  career  ladder 
or  doing  the  same  for  someone  else  seems  like 
an  idea  as  wholesome  and  easy  to  support  as 
motherhood  and  apple  pie.  And  some  believe 
mentors  are  all  the  more  crucial  to  security 
professionals  as  the  relationship  provides  a 
needed  sounding  board  and  helps  mitigate 
the  stresses  and  complexities  of  security. 

For  those  on  the  information  security  side, 
“cybersecurity  is  a  complex  field,  and  it’s  often 
quite  technical  trying  to  solve  issues  that 
revolve  around  what  is  often  qualitative  in  na¬ 
ture,"  says  Phil  Lerner,  vice  president  of  tech¬ 
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nology  at  network  security  provider  Stonesoft 
and  professor  at  St.  John’s  university  in  New 
York.  Security  pros  can  get  overwhelmed  at 
any  point  in  their  careers-even  when  they’re 
at  the  very  top-and  it  helps  to  have  a  dispas¬ 
sionate  voice  to  help  sort  things  out,  espe¬ 
cially  someone  outside  the  organization  who 
has  no  axe  to  grind. 

Mentors  can  help  CSOs  (and  aspiring  CSOs) 
avoid  disastrous  unintended  consequences, 
says  Lerner.  “Decisions  can  have  great  impact 
on  an  enterprise,  and  if  not  executed  carefully 
with  guidance,  it  can  result  in  unpredictable 
and  very  costly  lessons  learned,"  he  says. 

Lerner  has  been  both  mentor  and  protege 


at  various  times  and  is  comfortable  in  both 
roles.  “For  me,  mentoring  and  being  mentored 
is  a  continual  process  throughout  my  career,” 
he  says. 

Where  to  Find  One? 

But  although  everyone  seems  to  agree  that 
anyone,  in  any  profession  and  at  any  stage  of 
their  career,  could  benefit  from  a  mentor,  that 
still  leaves  unanswered  the  trickier  question 
of  where  to  find  the  right  person  for  the  job. 

“To  me,  that  is  the  most  challenging 
part,"  says  Kevin  Riggins,  enterprise  security 
architect  for  a  Fortune  500  financial  services 
organization.  Riggins  has  been  an  avid  Twit- 
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ter  user  for  years,  and  he  discovered  that  the 
site  was  an  excellent  way  to  bring  like-minded 
(in  his  case,  information-security-minded) 
people  together. 

About  two  years  ago,  Riggins  and  his  Twit- 
terati  got  together  and  started  a  blog,  InfoSec 
Mentors,  where  people  could  come  seeking  a 
mentor  or  offering  to  be  one. 

“Basically,  we  saw  this  need-people  who 
need  mentors  and  people  who  want  to  be 
mentors,”  he  says.  Activity  on  the  site  was 
strong  for  about  18  months,  but  Riggins  says 
that  lately  it’s  been  dormant,  though  it  could 
spring  back  up  if  there  is  interest. 

A  mentoring  veteran  on  both  sides, 

Riggins  says  it's  important  not  to  have  too 

“Every  mentoring 
relationship  is  unique 
because  the  needs 
of  the  individual  are 
always  unique.” 

-KEVIN  RIGGINS 

rigid  a  concept  of  what  you  want  mentoring 
to  do  for  you. 

“Every  mentoring  relationship  is  unique  be¬ 
cause  the  needs  of  the  individual  are  always 
unique,”  he  says.  When  he  is  contacted  by 
someone  who  is  interested  in  being  mentored, 
he  first  sends  an  introductory  email  laying  out 
his  areas  of  expertise  (technical  and  manage¬ 
rial),  his  interests,  and  any  relevant  experience 
he  has,  either  professional  or  personal. 

“The  relationship  is  all  about  them  figur¬ 
ing  out  how  I  can  help.  I  rely  on  them  to  drive 
where  they  need  the  most  help,"  he  says.  After 
nearly  15  years  in  security  and  25  in  IT,  Riggins 
thinks  being  an  impartial  listener  may  be  his 
best  asset  to  those  he  mentors. 

“I  am  always  available  as  a  nonjudgmen- 
tal  ear.  Talking  out  a  problem  may  lead  to  a 
solution  on  its  own.  Sometimes  that’s  all  you 
need,"  he  says.  “That  is  probably  the  most  im¬ 
portant  role  I  have  as  a  mentor.” 

Having  someone  to  vent  to  is  especially 
critical  for  those  at  private,  non-vendor  com¬ 


panies.  “It  can  be  very  stressful.  It’s  often 
a  role  where  the  business  views  security  as 
stopping  them  from  doing  things.”  A  little 
coaching  goes  a  long  way  in  helping  people  in 
that  position  learn  how  to  do  their  jobs  with¬ 
out  looking  (and  feeling)  like  a  roadblock  to 
the  business.  “Essentially,  this  is  a  communi¬ 
cation  skill,"  says  Riggins.  “People  who  have 
been  around  for  a  while  can  help  with  that." 

Modeling  good  communication  is  a  key 
mentor  activity,  according  to  Tim  Keanini, 
chief  research  officer  for  nCircle,  a  network 
security  firm.  “Security  cuts  across  many 
other  disciplines,"  says  Keanini.  “You  can’t 
run  an  effective  program  without  support 
from  just  about  every  department  in  the  or¬ 
ganization,  so  you  need  to  be  able  to  speak 
their  language.”  A  mentor  can  get  you  used  to 
the  lingo  and  customs  of  the  group  you  need 
to  approach. 

For  his  part,  Riggins  has  sought  input  from 
mentors  most  often  over  the  years  when  he 
was  considering  a  career  move  out  of  IT  (in 
the  early  years  of  his  career)  and  later,  out  of 
security. 

“I  didn’t  have  any  formal  mentors  until 
a  few  years  ago  as  I  was  considering  some 
changes.  I  reached  out  to  some  people  in 
my  industry  and  asked  them  to  talk  me 
through  it,”  he  says.  When  seeking  a  mentor, 
Riggins  had  to  look  no  further  than  his  digital 
backyard-the  many  contacts  he  has  built  up 
in  online  communities  and  social  network¬ 
ing  sites. 

“Asking  someone  to  be  your  mentor  seems 
to  work  best  if  you  have  some  personal  rela¬ 
tionship  with  the  person  or  have  at  least  inter¬ 
acted  with  that  person  online,”  he  says. 

Riggins  is  often  mentoring  four  or  five 
people  at  a  time,  almost  all  of  whom  work 
in  information  security.  But  making  time  for 
his  proteges  has  never  been  a  problem,  he 
says.  "The  demands  on  my  time  have  never 
been  onerous,  not  even  adding  up  to  an  hour 
every  week.  It  just  hasn’t  been  that  much  of  a 
time  sink.” 

At  its  best,  mentoring  should  be  a  two-way 
street.  “Every  day,  I  learn  something  new  and 
hope  to  impart  the  same  wisdom  to  folks 
evolving  through  their  careers,"  says  Lerner. 


RT  @csoandy: 
“@rickhholland: 
iStockphoto 
has  some  of  the 
WORST  images  for 
‘hackers’”  <  business 
opportunity! 

-Anthony  M.  Freed 

@anthonymfreed 

Anyone  who  feels 
Mac  “doesn’t  get 
viruses”  hasn’t  heard 
of  Pintsized.A,  a  new 
trojan  that  bypasses 
Mac  security 

-Lee  Munson  @Security_FAQs 

You  know  what 
will  draw  funding 
and  attention  to 
fix  “cyber”  security 
issues?  More 
Kardashian  sisters, 
Beyonce,  and  Jay-Z 
doxing. 

-Christofer  Hoff  @Beaker 
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Big  Data 
Protects 
Intel’s  Info 

The  company’s  initiative  earned  it  top  honors  in  the  first 
annual  CS040  awards,  which  recognize  security  projects 
that  have  delivered  outstanding  business  value 

By  Bob  Violino 


THESE  DAYS,  LOTS  OF  COMPANIES  ARE  LOOKING 
for  ways  to  use  big  data  and  analytics  to  improve  their  secu¬ 
rity,  but  Intel  is  one  of  the  first  to  actually  pull  it  off. 

The  company’s  initiative,  called  Security  Business  Intel¬ 
ligence  (SBI),  earned  the  company  top  honors 
in  the  CSO40  awards,  which  recognize  security 
projects  that  have  delivered  outstanding  business 
value. 

Intel  IT  began  building  its  SBI  platform  in  2010. 

“SBI  is  one  of  the  pillars  of  our  Protect  to  Enable 
enterprise  security  strategy,”  says  Malcolm  Har¬ 
kins,  Intel’s  chief  security  and  privacy  officer.  “The  ability  to 
filter  and  distill  the  billions  of  events  per  day  brings  tremen¬ 
dous  security  value  to  the  enterprise.” 


The  Protect  to  Enable  strategy  focuses  on  applying  rea¬ 
sonable  levels  of  protection,  which  allows  information  to  flow 
through  the  organization  and  gives  users  a  better  experience 
while  at  the  same  time  reducing  risk. 

In  2012,  Intel  made  significant  progress  in  im¬ 
plementing  this  architecture,  which  is  based  on 
four  pillars.  The  first  pillar  is  identity  and  access 
management,  which  allows  users’  access  privi¬ 
leges  to  be  dynamically  adjusted  as  the  level  of 
risk  changes.  Intel  has  tested  this  system  in  its 
production  environment  and  continues  to  refine 
these  tools  for  a  range  of  devices,  locations  and  infrastruc¬ 
ture  technologies. 

The  second  pillar  is  data  protection.  Intel  is  implement- 
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Malcolm  Harkins, 
Intel’s  chief  security 
and  privacy  officer. 


mg  technologies  to  safeguard  its  infor¬ 
mation  when  it’s  created,  stored  and 
in  transit.  The  company  has  expanded 
deployment  of  enterprise-rights-man- 
agement  software  and  implemented 
new  data-loss-prevention  technologies 
to  better  track  sensitive  data. 

The  third  pillar  is  infrastructure.  For 
example,  Intel  has  implemented  secure 
trust  zones  within  its  enterprise  private 
cloud  that  enables  it  to  virtualize  inter¬ 
nally  and  externally  facing  applications 
with  higher  security  requirements. 

The  ftnal  pillar  is  SBI.  “As  we  allow 
access  to  enterprise  systems  from 
more  devices,  we  need  improved  detec¬ 
tion  and  analytical  capabilities,”  says 

“This  platform 
allows  us  to 
detect  security 
threats  faster, 
not  only  to 
boost  our  ability 
to  intervene 
quickly,  but  also 
to  reduce  our 
risk  exposure.” 

-MALCOLM  HARKINS,  CHIEF 
SECURITY  AND  PRIVACY 
OFFICER,  INTEL 

Alan  Ross,  senior  principal  engineer. 
“We  deployed  a  flexible  dashboard  to 
view  malware  infection  data  down  to 
the  machine  level  and  added  a  predic¬ 
tive  engine  that  enables  proactive  pro¬ 
tection  and  simulations  to  improve  our 
ability  to  respond  to  threats.” 

The  primary  goals  of  the  SBI  plat¬ 


form  are  to  use  big  data  and  advanced 
analytics  to  improve  Intel’s  ability  to 
predict,  prevent,  detect  and  respond 
to  cyberthreats;  develop  the  tools  and 
reporting  capabilities  to  distill  large 
amounts  of  data  into  meaningful  analy¬ 
sis;  and  use  the  resulting  analysis  to  cut 
overall  costs  by  reducing  or  eliminat¬ 
ing  other  security  controls  that  may  be 
less  effective.  Intel  IT  is  also  looking  at 
ways  to  use  trusted  sensor  and  event 
information  from  its  platforms  to  im¬ 
prove  the  quality  and  reliability  of  the 
SBI  system. 

Emphasis  on  Privacy 

One  goal  of  SBI  was  to  develop  privacy 
controls  before  and  during  the  deploy¬ 
ment  of  the  platform  to  ensure  that 
data  administrators,  analysts,  security 
investigators  and  forensics  teams  “un¬ 
derstand,  respect  and  abide  by  Intel’s 
privacy  compliance  requirements,” 
Ross  says. 

While  working  on  SBI,  Intel  also 
wanted  to  clearly  define  who  has  ac¬ 
cess  to  certain  types  of  data,  how  the 
data  will  be  stored  and  segmented,  and 
when  certain  types  of  data  will  be  de¬ 
leted.  Of  particular  importance  to  the 
team  was  the  development  of  policies 
and  processes  that  ensure  that  person¬ 
al  information  is  stored  and  accessed 
according  to  the  company’s  guidelines. 

By  incorporating  privacy  early  on 
when  developing  products,  services 
and  programs,  Intel  can  fulfill  its  ob¬ 
jectives.  To  make  sure  it  covers  all  its 
bases,  the  company  uses  a  privacy  im¬ 
pact  assessment  (PIA). 

A  PIA  is  similar  to  an  audit — it’s  an 
evaluation  performed  to  verify  that  a 
new  or  existing  organizational  process 
or  system  adheres  to  appropriate  priva¬ 
cy  laws,  regulations  and  policies.  It  also 
assesses  the  risk  to  privacy  associated 
with  the  business  process  that’s  being 
evaluated,  and  it  examines  potential 
methods  of  risk  mitigation. 

One  objective  of  a  PIA  is  to  cause  an 
organization  to  think  about  its  process 


choices  and  their  impact  on  privacy. 
The  assessment  allows  a  company  to 
analyze  and  document  not  only  the 
project’s  anticipated  data  lifecycle,  but 
also  its  reasons  behind  the  treatment  of 
data  at  each  stage. 

The  SBI  platform  performs  real-time 
correlation  of  big  data  to  detect  secu¬ 
rity  threats  faster,  boosting  Intel’s  abil¬ 
ity  to  intervene  quickly  while  reducing 
its  risk  exposure,  Ross  says.  “Using  this 
platform,  we  can  monitor  traffic  from 
Intel’s  servers  to  detect  data  exfiltra¬ 
tion  abnormalities  and  send  alerts  to 
security  responders,”  he  says.  “This 
platform  allows  us  to  detect  security 
threats  faster,  not  only  to  boost  our 
ability  to  intervene  quickly,  but  also  to 
reduce  our  risk  exposure.” 

The  SBI  architecture  is  built  around 
three  layers:  common  logging  service, 
correlation  layer  and  predictive  analyt¬ 
ics.  It  collects  some  six  billion  events 
per  day  to  deliver  near  real-time  report¬ 
ing.  Analysis  of  these  events  provides 
early  detection  of  anomalous  behaviors 
both  among  client  devices  and  in  the 
server  environment. 

For  example,  SBI  can  detect  and  re¬ 
spond  to  anomalous  situations  such 
as  when  a  user  appears  to  log  in  from 
two  geographic  locations  at  the  same 
time.  This  can  be  indicative  of  a  com¬ 
promised  credential  and  may  cause 
the  system  to  dynamically  adjust  the 
device  trust  level  and  the  access  that  is 
granted  to  that  account. 

In  the  case  of  bring-your-own-device 
initiatives,  Intel  can  use  SBI  tools  to 
monitor  the  transactions  with  its  ap¬ 
plication  gateways  and  one-time  pass¬ 
word  generator.  These  logs,  combined 
with  the  company’s  new  trust-level- 
based  architecture,  mean  “we  can  cre¬ 
ate  detailed,  real-time  correlation  rules 
and  can  dynamically  adjust  the  trust 
level  of  a  device  and  the  applications  a 
user  can  access,”  Ross  says. 

Tangible  Results 

Among  the  results  Intel  has  seen  with 
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its  SBI  platform  is  a  99  percent  in¬ 
crease  in  efficiency,  reducing  data  col¬ 
lection  analysis  throughput  time  from 
two  weeks  to  20  minutes.  In  addition, 
the  platform  can  process  200  billion 
server  event  logs  and  provide  results 
in  less  than  30  minutes.  With  these  and 
other  controls  in  place,  the  company  is 
currently  seeing  a  malware  infection 
rate  of  less  than  one  percent. 

Several  key  factors  helped  Intel’s  SBI 
project  succeed.  One  was  starting  small 
and  choosing  a  value  asset  or  a  few  core 
infrastructure  services  before  expand¬ 
ing.  Another  was  to  focus  on  the  areas 
where  a  breach  would  be  most  harmful. 

Yet  another  winning  strategy  was  to 
build  the  program’s  value  based  on  its 
goals.  “We  built  solutions  for  our  inves¬ 
tigators  before  expanding  to  cover  ad¬ 
ditional  use  cases  from  our  customers,” 
Ross  says. 


Finally,  Intel  put  together  a  strong 
team  to  create  and  implement  SBI.  “We 
gathered  experienced  security  profes¬ 
sionals,  including  architects,  investiga¬ 
tors  and  engineers,”  Ross  says.  “These 
people  worked  closely  with  our  privacy 
experts  to  design  and  document  the 
tools,  policies,  processes  and  privacy 
guidelines.” 

Intel  is  developing  a  My  Security 
Alerts  tool,  which  it  will  deploy  some¬ 
time  in  2013,  that  lets  employees  view 
activity  associated  with  their  accounts 
and  report  suspicious  behavior. 

“Advanced  malware  attacks  can  in¬ 
filtrate  employee  accounts  and  gain 
access  to  our  internal  network  and  do 
harm  without  appearing  to  be  an  intru¬ 
sion.  Our  SBI  platform  is  incredibly 
powerful,  but  it  does  not  have  the  con¬ 
textual  information  that  an  individual 
employee  knows  about  their  own  use 


of  company  resources.  The  My  Secu¬ 
rity  Alerts  tool  will  allow  our  employees 
to  help  us  identify  suspicious  activity,” 
says  Ross. 

Every  day,  the  SBI  platforms  collect 
and  process  billions  of  events.  Ross 
says.  “We  filter  those  events  down,  pro¬ 
cess  the  data  with  a  new  set  of  analyt¬ 
ics  that  can  flag  potentially  suspicious 
activity,  and  then  present  a  summa¬ 
rized  view  of  that  to  each  individual 
employee.  We  then  ask  for  their  help 
to  review  these  events  and  let  us  know 
if  they  want  us  to  investigate  it  further.” 

Intel  is  continuing  to  scale  its  SBI 
platform  to  increase  its  ability  to  find 
advanced  threats,  react  quickly  and 
develop  preventive  and  corrective  con¬ 
trols  for  the  future. 


■  Bob  Violino  is  a  freelance  writer  and 
editor. 
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And  The  Other 
Winners  Are... 


39  more  projects  recognized  for  outstanding  business  value 


Aetna 

PROJECT:  International  governance,  risk  and 
compliance  (GRC)  program,  ensuring  compli¬ 
ance  with  in-country  security  and  privacy  rules 
LEADERS:  Jonathan  Swanson, 
enterprise  information  secu¬ 
rity  architect;  Mark  Coderre, 
head  of  enterprise  informa¬ 
tion  security  architecture 
DESCRIPTION:  The  project  incorporated  93 
country-specific  regulations  and  787  new  con¬ 
trol  standards  into  a  GRC  management  plat¬ 
form.  The  platform  mapped  regulations  and 
requirements  to  Aetna  policy,  assured  the  com¬ 
pany  was  complying  with  in-country  rules  and 
corporate  policies,  validated  findings  and  rec¬ 
ommendations  with  Aetna  legal  and  compli¬ 
ance  departments,  and  translated  compliance 
requirements  to  technical,  process,  automated 
and  manual  controls. 

BUSINESS  VALUE:  The  program  streamlined 
governance  processes  and  reduced  the  time 
required  to  identify  and  map  legal,  regulatory 
and  IT  controls  by  80  percent.  Process  and  data 
gathered  are  consistent  across  the  countries, 
providing  a  higher  quality  result. 

Akamai 


rapid  prototyping  of  ways  to  improve  risk 
awareness  and  settle  into  effective  strategies. 
The  prototypes  were  informed  by  a  Socratic 
dialogue  among  the  infosec  community  and  by 
academic  work  in  control  theory.  The  result  has 
been  a  revamping  of  the  underlying  philosophy 
of  security  governance. 

BUSINESS  VALUE:  The  organization’s  budget  has 
increased  350  percent  over  two  years  as  stake¬ 
holders  have  asked  for  more  support,  funded 
out  of  their  own  budgets. 

Argonne  National 
Laboratory 

PROJECT:  Vulnerability  assessment  team 

LEADERS:  Roger  Johnston, 
team  leader;  Jon  Warner,  sys¬ 
tems  engineer 

DESCRIPTION:  Find  and 
demonstrate  vulnerabili¬ 
ties  in  physical  security  devices,  systems  and 
programs,  then  suggest  practical,  low-cost 
countermeasures. 

BUSINESS  VALUE:  The  team  has  provided  secu¬ 
rity  solutions,  research  and  development,  con¬ 
sulting  and  training  to  more  than  50  private 
companies,  NGOs  and  government  agencies. 


PROJECT:  Herding  Lizards:  better  risk 
management 


LEADERS:  Andy  Ellis,  CSO;  Mike 

1  ^ 

Afergan,  general  manager  of 

jL.\ 

Web  experience 

DESCRIPTION:  This  project 
was  designed  to  transform 

the  infosec  function  from  a  technical  opera¬ 
tor  empowered  with  a  checklist  to  a  consulting 
partner  who  can  provide  centralized  admin¬ 
istrative  support.  The  department  performed 


Becton,  Dickinson  and  Co. 

PROJECT:  BD  data  protection  program 

LEADERS:  Damian  McDonald, 
vice  president  of  global  infor¬ 
mation  security;  John  Och- 
man,  manager  of  security 
monitoring  center  of  excel¬ 
lence;  Peter  Alfieri,  manager  of  global  security 
management 

DESCRIPTION:  The  new  program  had  to  meet 
stringent  privacy  and  security  requirements 


for  new  ERP  implementation,  which  replaced 
several  legacy  ERP  and  manufacturing  appli¬ 
cations  from  around  the  globe  with  a  single 
global  instance  hosted  in  the  United  States. 
The  program  has  made  security  transparent  to 
end  users  with  no  impact  or  slowdown  of  busi¬ 
ness  operations. 

BUSINESS  VALUE:  The  project  reduced  the  oper¬ 
ational  overhead  required  to  protect  sensitive 
data  while  satisfying  industry  and  government 
regulatory  requirements  for  data  security  and 
privacy  for  all  countries  where  BD  has  opera¬ 
tions.  It  also  provided  a  secure  credit-card 
processing  solution  that  met  PCI  regulatory 
requirements. 


Blackstone 

PROJECT:  Security  through  simplicity  (security 
intellectual  property) 

LEADERS:  John  Fitzpatrick, 
vice  president;  Jay  Leek,  CISO; 
William  Murphy,  CTO 
DESCRIPTION:  The  company 
needed  a  way  to  meet  strict 
document  security  requirements  while  deliv¬ 
ering  end  users  an  optimal  experience  across 
multiple  devices  and  geographies.  It  invested  in 
a  small  company’s  document  encryption  func¬ 
tionality  that  was  developed  to  include  a  docu¬ 
ment-management  application. 

BUSINESS  VALUE:  Because  the  solution  secures 
the  actual  content  of  the  document  rather 
than  locking  down  the  device,  employees  can 
choose  their  own  viewing  mechanisms,  which 
allows  the  company  to  offer  a  flexible  bring- 
your-own-device  policy.  Device  workflow  tools 
have  helped  drive  adoption,  promote  social 
responsibility  and  lower  printing  costs  by  mil¬ 
lions  of  dollars. 
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ADP:  Improve  Analytics,  Reduce  Client  Waiting  Time 


Project:  Trusted  platform  security  infrastructure  program 


LEADERS:  William  O’Connell, 


senior  director  of  security  pro¬ 
gram  management;  Roland 
Cloutier,  vice  president  and 
CSO;  V.  Jay  LaRosa,  senior 
director  of  converged  security 
architecture  services 
DESCRIPTION:  With  almost 
3  billion  security  events  a 
day,  ADP  needed  a  new 
high-speed  security  infor¬ 
mation  data  warehouse  to 
unify  all  security  event  data 
and  enrich  it  with  relevant 
information  to  allow  global 
security  organization  ana¬ 
lysts  to  prioritize  and  react  to 
security  threats  in  real  time. 
The  project  involved  build¬ 
ing  an  advanced  platform  to 
protect  client  data  and  com¬ 
pile  all  security  information 
globally  to  enrich  the  data 
between  disparate  security 
technologies,  enable  high¬ 


speed  analytics  and  maxi¬ 
mize  protection  capabilities 
through  unified  analytics.  The 
platform  provides  advanced 
detection  and  intelligence 
capabilities  in  all  operating 


units  worldwide.  Its  architec¬ 
ture  uses  holistic  business 
intelligence  technologies, 
which  the  global  secu¬ 
rity  organization  manages 
through  a  converged  enter- 


Project:  Client  security  management  office  portal 


LEADERS:  William  O'Connell, 
senior  director  of  security 
program  management; 

Devon  Bryan,  senior  director 
of  client  and  vendor  security 
DESCRIPTION:  Historically, 
client  requests  came  through 
various  untraceable  channels 
with  no  formal  reporting  or 
metrics.  The  entire  process, 
from  the  initial  request 
through  fulfillment,  was 
intensive  and  manually  con¬ 
trolled.  The  Client  Security 
Management  Office  Por¬ 


tal  provides  a  centralized 
location  and  streamlined 
process  for  making  certified 
responses  available,  creates 
a  searchable  knowledge 
base  to  which  managers 
can  add  content,  and  allows 
associates  to  generate  cus¬ 
tomized  product  documents 
for  clients  or  prospects. 

Three  distinct  wizards  ensure 
that  any  user  can  easily 
find  and  access  informa¬ 
tion  without  training.  A  case 
request  tool  allows  users  to 


submit  a  request  if  they  are 
unable  to  find  the  informa¬ 
tion  they  require.  For  the 
core  services  component,  a 
case  management  tool  and 
a  set  of  executive  dash¬ 
boards  and  reports  allow  for 
efficient  service.  Having  a 
single,  common  repository 
for  product  security  white 
papers,  product  security 
questionnaire  responses, 
and  a  global  data  security 
and  privacy  knowledge  base 
and  Wiki  has  reduced  the 


prise  risk  platform.  The  initial 
phase  of  the  project  covered 
23  data  centers  around  the 
world  and  facilitated  the 
additional  integration  of  14 
remote  sites;  the  platform 
design  offers  the  scalability 
and  flexibility  to  adapt  as 
ADP  continues  to  grow  its 
operations  and  acquire  new 
organizations. 

BUSINESS  VALUE:  As  a  unified 
platform  for  global  security 
analytics,  threat  detection, 
fraud  prevention  and  risk 
management,  the  program 
has  saved  the  company  and 
its  clients  millions  of  dollars 
by  dramatically  reducing 
the  time  required  to  perform 
security  investigations,  allow¬ 
ing  ADP  to  feel  safe  moving 
to  new  global  operating 
areas  and  centralizing  risk 
management. 


turnaround  times  for  RFP 
responses  and  client  security 
questionnaires  by  more  than 
50  percent. 

BUSINESS  VALUE:  Turnaround 
time  for  standard  requests 
for  security  documentation 
has  dropped  from  24  hours 
to  two  minutes.  In  the  last 
five  months,  ADP  supported 
93  standard  security  docu¬ 
mentation  requests  in  186 
minutes.  In  total,  ADP  has 
reduced  its  clients’  wait  time 
by  2,229  hours. 
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Blue  Cross  Blue 
Shield  Michigan 

PROJECT:  Information  security  operations 
center 

LEADERS:  Tonya  Byers,  director 
of  information  security; 
Angela  Williams,  manager 
DESCRIPTION:  The  center  pro¬ 
vides  centralized  monitoring 
and  detection  capabilities  to  identify  threats, 
vulnerabilities  and  security  events  that  could 
adversely  affect  information  assets,  technical 
infrastructure  and  data. 

BUSINESS  VALUE:  The  setup  offers  increased 
situational  awareness  within  the  organiza¬ 
tion,  minimizing  risks,  downtime  and  data  loss 
through  timely  monitoring  and  reporting  to 
support  IT  teams,  as  well  as  facilitating  audit 
and  compliance  efforts,  incident  response  and 
forensics. 


Carolinas  Healthcare 
System 

PROJECT:  CMC-PASS  biometric  patient  identifi¬ 
cation  system 


E  LEADERS:  Robert  Pierce, 
assistant  vice  president;  Craig 
Richardville,  senior  vice  presi- 

senior  vice  president  of 
patient  financial  services 
DESCRIPTION:  The  company  set  up  a  custom 
system  for  identifying  patients  by  scanning 
the  veins  in  their  palms.  The  biometric  sys¬ 
tem  registers  and  later  identifies  a  patient, 
contains  a  database  application  to  store  and 
match  patients,  and  provides  an  interface  to 
the  hospital  information  system  to  complete 
the  registration  process  once  a  patient  is 
identified. 


BUSINESS  VALUE:  The  system  improves  the 
accuracy  and  efficiency  of  patient  registra¬ 
tion;  increases  patient  satisfaction  by  improv¬ 
ing  speed  and  convenience;  integrates  with  the 
hospital’s  core  registration  system;  accurately 
authenticates  identities;  minimizes  fraud;  and 
exceeds  standards  for  patient  privacy.  The 
trauma  version  of  the  system  can  also  identify 
incapacitated  patients  who  have  been  enrolled 
in  the  system. 


Citi 

PROJECT:  Regional  Security  Command  Center 
(Asia  Pacific),  Citi  security  and  investigative 
services 

LEADER:  Mike  Yong,  manager 
of  the  Regional  Security  Com¬ 
mand  Center  (Asia  Pacific) 
DESCRIPTION:  The  center 
serves  as  a  hub  for  coordinat¬ 
ing  and  supporting  the  response  to  and  man¬ 
agement  of  any  security  and  safety  incidents 
and  crises  that  affect  Citi  anywhere  in  the  Asia 
Pacific  region.  It  provides  a  static  and  stable 
platform  where  information  can  be  collated 
and  analyzed  for  appropriate  responses  by 
Citi  security  managers  and  relevant  business 
entities.  These  can  be  escalated  to  the  senior 
members  of  Citi  management  promptly  and 
accurately. 

BUSINESS  VALUE:  Monitoring  maps  and  daily 
situation  maps  keep  all  country  security  man¬ 
agers  apprised  of  current  and  forecast  events 
in  the  Asia  Pacific  region.  Situation  reports  of 
actual  occurrences  effectively  disseminate 
information  to  any  relevant  staff  and  members 
of  higher  management. 

City  of  Columbus,  Ohio 

PROJECT:  Security  program  implementation  for 
the  City  of  Columbus 

LEADER:  Miki  Calero,  CSO  of 
the  City  of  Columbus 
DESCRIPTION:  The  city's  first 
step  toward  implementing 
enterprisewide  controls  to 
protect  the  confidentiality,  integrity  and  avail¬ 
ability  of  information  assets  and  to  manage  risk 
to  physical  assets.  Ongoing  efforts  continue  to 
improve  the  city's  operational  efficiency  and 
security  effectiveness  by  standardizing  infor¬ 
mation  and  physical  security  controls.  The 
project  will  also  integrate  policy  into  a  unified 
governance  framework  to  ensure  that  the  city 
remains  in  compliance  with  the  multiple  regula¬ 
tory  requirements  that  apply  to  it. 

BUSINESS  VALUE:  The  implementation  will  unify 
security  controls,  and  merge  and  standardize 
the  information  and  physical  security  systems, 
which  will  result  in  cost-effective,  risk-based 
security  investments. 


Coca-Cola  Refreshments 
PROJECT:  Enterprisewide,  cross-system  role- 
based  security 

LEADERS:  Kim  Keever,  vice 
president  of  information  secu¬ 
rity  and  controls;  Katie  Horne, 
director  of  information  secu¬ 
rity  and  access  management 
DESCRIPTION:  The  project  systematically  cate¬ 
gorized  75,000  workers  using  300  job  roles  that 
access  nearly  600  applications  running  98  per¬ 
cent  of  the  company’s  daily  business  transac¬ 
tions.  The  new  role-based  solution  seamlessly 
bridges  all  architectures  to  create  a  single  secu¬ 
rity  provisioning  point  of  control.  On-boarding 
and  security  access  provisioning  are  processed 
as  a  single  request  flowing  through  an  auto¬ 
mated  provisioning  system.  New  technology 
solutions  are  mapped  to  roles,  using  a  repeat- 
able  approach.  The  enterprisewide  set  of  roles 
ensures  a  common  experience  using  a  scalable, 
sustainable  and  supportable  solution. 

BUSINESS  VALUE:  The  project  reduced  the  num¬ 
ber  of  roles  by  95  percent,  thereby  eliminating 
thousands  of  redundant  roles,  simplifying  oper¬ 
ations  and  resulting  in  a  99.9  percent  reduction 
insecurity  user  violations. 

FedEx 

PROJECT:  FedEx  email  security  program 

LEADERS:  Todd  Moen,  man¬ 
ager  of  project  and  process; 
Michael  Mings,  manager  of  IT; 
Frank  Albright,  director  of  IT; 
Denise  Wood,  CISO 
DESCRIPTION:  The  program  allows  legitimate 
FedEx  email  to  reach  its  intended  audience 
while  suppressing  spam  and  malicious  and 
phishing  emails  with  fraudulent  FedEx  brand 
association  by  using  proactive  controls  for 
email  authentication  and  enforcement  policies 
to  discard  messages  that  fail  authentication. 
BUSINESS  VALUE:  In  its  first  full  month,  the 
program  blocked  the  delivery  of  more  than 
30  million  malicious  emails  purporting  to  be 
from  FedEx.  It  reduced  the  time  needed  to 
identify,  report  and  remove  malicious  sites, 
and  improved  monitoring,  reporting  and  alert¬ 
ing  processes  for  when  threats  do  occur.  It  cut 
down  on  spikes  in  calls  at  the  customer  service 
center  due  to  people  reporting  malicious  email. 
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Comcast:  Embracing  IPv6,  Consolidating  Privileges 


Project:  IPv6  and  security:  Next-gen  Internet  services  at  Comcast 


LEADERS:  Myrna  Soto,  CISO 
and  senior  vice  president  of 
national  engineering  and 
technical  operations;  John 
Brzozowski,  distinguished 
engineer  and  chief  architect 
of  IPv6 

DESCRIPTION:  Comcast 
launched  a  wide-reaching 
project  to  implement  IPv6 
on  its  network  to  ensure 
adequate  room  for  expansion 
and  to  meet  Comcast’s  busi¬ 


ness  growth  strategy.  Doing 
so  created  many  security 
challenges,  especially  when 
tools  and  systems  lacked 
support  for  IPv6.  The  project 
developed,  assessed  and 
implemented  an  IPv6  security 
framework,  meeting  the  com¬ 
pany’s  tight  time  lines  and 
strict  quality  requirements. 
Comcast  also  carefully  coordi¬ 
nated  the  implementation  of 
IPv6  security  tooling  and  sup¬ 


port  with  its  launch  of  native 
dual-stack  residential  broad¬ 
band  services  and  device 
management.  There  were 
two  main  motivations  for  the 
establishment  of  this  busi¬ 
ness  goal:  introducing  IPv6 
support  across  many  systems, 
applications  and  network 
infrastructures,  with  security 
being  an  overarching  theme 
in  the  entire  deployment,  and 
taking  a  leadership  role  to 


Project:  Comcast  identity  management  and  access  governance  initiative 


LEADERS:  Myrna  Soto,  CISO 
and  senior  vice  president 
of  national  engineering 
and  technical  operations; 
Cindi  Hook,  senior  vice  presi¬ 
dent,  assurance  and  advisory 
team 

DESCRIPTION:  In  the  access 
governance  and  role-man¬ 
agement  phase,  Com¬ 
cast  gained  a  holistic  view 
of  entitlements  across 
the  enterprise;  auto¬ 
mated  business  processes 
through  workflow  based 
on  a  standard  enterprise 
definition  of  roles,  respon¬ 
sibilities  and  privileges; 
improved  certification 
processes  in  line  with 
regulatory  compliance; 
and  properly  aligned  roles 
and  entitlements  for 
more  efficient  account 
management.  In  the  iden¬ 
tity-management  phase, 
the  company  implemented 


highly  available  architecture 
that  supports  a  disaster- 
recovery  environment; 
achieved  maintainable 


user  attribute  synchroniza¬ 
tion  among  enterprisewide 
end  points;  implemented 
an  end-to-end  provision¬ 


advance  the  internet  commu¬ 
nity  as  a  whole  to  IPv6. 
BUSINESS  VALUE:  Between 
June  2011  and  2012,  IPv6  traf¬ 
fic  increased  by  more  than 
1,000  percent,  and  in  2012 
alone  the  company  saw  a 
nearly  400  percent  increase. 
Comcast’s  native  IPv6  ser¬ 
vice  currently  is  deployed  to 
about  1.5  percent  of  its  more 
than  18  million  residential 
subscribers. 


ing  process  for  its  280,000 
employees,  business  partners 
and  contractors;  and  ensured 
that  the  system  scales  to 
allow  Comcast  to  bulk  provi¬ 
sion  thousands  of  users,  as 
dictated  by  its  various  busi¬ 
ness  units.  The  company 
also  decommissioned  its 
legacy  identity  management 
product  and  increased  the 
number  of  identity  manage¬ 
ment  endpoints  from  six 
to  25. 

BUSINESS  VALUE:  The  new 

system  grants  Comcast 
employees,  business  partners 
and  contractors  only  the 
access  required  to  perform 
their  current  jobs.  It  also 
reduces  the  time,  resources 
and  costs  associated  with 
user  entitlement  certifica¬ 
tion  and  related  activities. 
The  update  removed  excess 
privileges  and  dormant 
accounts. 
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Procter  &  Gamble:  An  Olympian  Effort  in  London 


PROJECT:  Procter  &  Gamble 
global  security 
LEADERS:  Jim  Hutton, 
director  of  global  security: 
Lucy  Hodgson,  director  of 
communications 
DESCRIPTION:  At  the  2012 
Olympic  Games  in  London, 
P&G  was  involved  in  running 
a  hospitality  center  for  ath¬ 
letes  and  their  families,  and 
branded  services  to  select 
National  Olympic  Committee 
venues,  the  Olympic  Village, 
and  other  locations  in  greater 
London.  P&G  provided  physi¬ 
cal  security,  personnel  protec¬ 
tion,  incident  response,  crisis 


management,  brand  protec¬ 
tion,  risk  assessment,  intel¬ 
ligence  gathering,  and  overall 
staff  command-and-control 
for  all  on-the-ground  Olympic 
Program  events  in  London, 
which  required  security  and 


risk  mitigation  at  sites  across 
the  city.  P&G  partnered  with 
the  London  Metropolitan 
Police  and  London  Orga¬ 
nizing  Committee  of  the 
Olympic  Games  to  establish 
relationships  and  two-way 
information  exchange;  par¬ 
ticipated  in  tabletop  planning 
scenarios  with  the  Serious 
Organized  Crime  Association 
for  contingency  planning  and 
situational  awareness:  and 
established  collaborative 
relationships  and  information 
exchange  opportunities  with 
the  U.S.  State  Department’s 
Overseas  Security  Advisory 


Council,  other  top  sponsors, 
and  the  U.S.  Olympic  Com¬ 
mittee.  P&G  staff  members 
from  Belgium,  Brazil,  Canada, 
China,  Germany,  Pakistan, 
Russia,  Switzerland,  the 
United  Kingdom  and  the 
United  States  worked  with 
the  program. 

BUSINESS  VALUE:  The  proj¬ 
ect  supported  the  largest 
marketing  campaign  in  the 
company’s  history.  The  event 
generated  an  estimated  $500 
million  in  additional  sales; 
Facebook  likes  went  up  by  30 
percent;  370  million  Twitter 
messages  were  posted. 


First  Horizon  National 

PROJECT:  Scaling  third-party  risk  management 
LEADER:  Steven  Jones,  CISO 
DESCRIPTION:  The  project  cre¬ 
ated  a  consistent  and  efficient 
way  to  measure  the  inherent 
and  residual  risk  of  third-party 
service  providers  by  focusing  on  higher-risk  ven¬ 
dors  and  streamlining  and  automating  the  risk- 
assessment  process.  It  allocates  more  analysis  to 
high-risk  vendors  using  six  questions  to  measure 
the  criticality  and  sensitivity  of  services  provided. 
BUSINESS  VALUE:  Automated  risk-scoring  cut 
the  time  analysts  spent  on  analysis  by  18  hours 
and  allows  virtually  instantaneous  turnaround 
for  vendor  risk  scores.  Analysts  can  quickly  pin¬ 
point  high-risk  areas  that  require  more  analysis. 


General  Electric  Aviation 

PROJECT:  Trade-control  access  security  and 
compliance 

LEADER:  Tom  Rohling,  manager 
DESCRIPTION:  The  project 
developed  standardized  tools 
and  process  for  classifying 
technical  data.  It  evaluates 


access  decisions  in  real  time  based  on  individ¬ 
ual  identities,  applicable  export  licenses  and 
data  classifications,  and  it  maintains  required 
auditable  records  when  allowable  exports  occur. 
It  includes  identity-management  systems  with 
citizenship  and  in-country  export  status;  stan¬ 
dardized,  Web-based  technical  data  tagging 
tools  for  export  and  import  tagging  and  classi¬ 
fication  process;  centralized  data  tag  manage¬ 
ment  system;  and  administrative  interfaces. 
BUSINESS  VALUE:  The  system  supports  export 
regulations  for  more  than  20,000  users  globally 
and  nearly  3,000  trained  and  certified  taggers 
in  Brazil,  Canada,  China,  India,  Mexico,  Poland, 
Singapore,  the  United  Kingdom  and  the  United 
States.  It  works  with  43  enterprise  applications. 


HMS 

PROJECT:  HMS  helps  U.S.  healthcare  system 
operate  more  efficiently  with  automated  iden¬ 
tity  and  access  management  and  governance 
LEADERS:  Scott  Pettigrew,  vice 
president  and  CSO;  Cynthia 
Nustad,  senior  vice  president 
and  CIO 

DESCRIPTION:  HMS  supports 


a  homegrown  online  portal  through  which 
healthcare  professionals  and  hospital  admin¬ 
istrators  can  access  information,  such  as  Medi¬ 
care  claims  and  physicians’  reports.  Data  vis¬ 
ibility  helps  providers  ensure  that  medical 
procedures  have  been  followed  and  billing 
is  correct.  The  project  involved  developing  a 
phased  strategic  identity  and  access  manage¬ 
ment  plan  and  integrated  a  platform  for  auto¬ 
mated  provisioning  and  self-service  password 
management. 

BUSINESS  VALUE:  The  project  improved  com¬ 
pliance  and  reduced  administrative  costs, 
improved  employee  productivity  and  user  expe¬ 
rience,  and  lowered  security  risks. 

Humana 

PROJECT:  Humana  information  security  aware¬ 
ness  and  training  program 

LEADERS:  Jon  Moore,  CISO; 
Brian  LeClaire,  senior  vice 
president 

DESCRIPTION:  Organizers  used 
a  blended  learning  model 
and  multiple  instructional  methods  and  deliv¬ 
ery  media  to  train  a  geographically  distributed 
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population  of  associates  to  be  aware  of  and 
respond  to  security  issues.  Trainers  used  real¬ 
time  behavior-changing  tactics  and  the  tar¬ 
geted  delivery  of  awareness-raising  content 
tailored  to  align  with  users'  risk  perception  and 
policy  knowledge. 

BUSINESS  VALUE:  The  company  experienced  no 
significant  security  incidents  in  2012. 


Kiewit 

PROJECT:  Simplifying  security 

LEADER:  John  Eden,  informa¬ 
tion  security  and  compliance 
manager 

DESCRIPTION:  The  project  pro¬ 
vides  superior  information 
security  to  the  company  while  reducing  the 
time  and  effort  employees  spend  understand¬ 
ing  and  obtaining  the  right  security  to  get  their 
work  done. 

BUSINESS  VALUE:  The  project  comprises  three 
phases:  Phase  1  made  password  policies  more 
user-friendly  and  used  heuristic  analysis  to 
improve  network-access-fraud  detection. 
Phase  2  combines  identity  management  with 
segregation  of  duties  analysis.  Phase  3  pro¬ 
vides  district-level  self-service  access  through 
simplified  roles  and  improved  single  sign-on 
capabilities. 


Los  Angeles  World 
Airports 

PROJECT:  Daily  cyber  intelligence  report-insider 
threats 


LEADER:  Bob  Cheong.CISO 
DESCRIPTION:  Daily  threat 
reports  apprise  security  staff 
of  all  cybersecurity  events 
occurring  on  network  infra¬ 
structures  and  point  out  top  attacks,  top  tar¬ 
gets  and  top  security  events.  Events  detected 
include  virus,  worm,  botnet  and  malware 
infections  and  propagation:  advanced  persis¬ 
tent  threats  with  spear  phishing  attacks:  users 
accessing  malicious  websites;  Internet  hacking 
attempts  and  intrusion  activities. 

BUSINESS  VALUE:  The  security  team  reviews 
reports  at  a  daily  briefing  and  assigns  action¬ 
able  items  for  investigation  and  remediation. 
The  security  information  and  event  manage¬ 
ment  system  receives  an  average  of  2  billion 


system  messages  a  month,  and  it  has  analyzed 
and  correlated  critical  security  events  down  to 
fewer  than  500  actionable  events  a  month. 


Massachusetts 
Port  Authority 

PROJECT:  Transportation  security  center  of 
excellence 


jjiBVk  LEADER:  Dennis  Treece,  CSO 
£  i  DESCRIPTION:  Allows  on- 
site  testing  of  promising 
new  security  technologies 
and  processes  at  Massport’s 
active  airports  and  seaports.  This  accelerates 
technology  improvements  in  the  transporta¬ 
tion  sector  by  helping  vendors  and  inventors 
perfect  their  offerings  in  live,  operational  trans¬ 
portation  facilities.  Pilot  projects  have  so  far 
tested  video  surveillance,  container  inspections 
and  behavior  pattern  recognition,  among  other 
tools. 

BUSINESS  VALUE:  Thus  far  the  Center  of  Excel¬ 
lence  has  supported  112  pilot  projects;  52  proved 
operationally  valid,  43  needed  more  work,  and 
the  remaining  17  are  either  ongoing  or  experi¬ 
encing  an  operational  pause. 


MasterCard  Worldwide 

PROJECT:  I’M  OK  (employee  tracking  system) 
LEADERS:  Daniel  Hulbert, 
director  of  global  corporate 
security;  Richard  Gunthner, 
vice  president  of  global  corpo¬ 
rate  security:  Patricia 
Docherty,  group  head  of  human  resources  and 
employee  relations 

DESCRIPTION:  The  system  acts  as  a  database  to 
collect  and  store  dial-in  feedback  for  employees 
affected  by  a  natural  disaster  or  security  inci¬ 
dent,  engages  travelers  in  high-risk  locations 
to  confirm  travel  dates  and  check-in  times, 
and  maintains  contact  with  employees  dur¬ 
ing  a  pandemic  using  dial-in  procedures  and 
employee  ID  tracking  to  confirm  their  safety. 
BUSINESS  VALUE:  The  system  saves  hundreds 
of  man  hours  annually  by  managing  thousands 
of  high-risk  travel  check-ins  and  reducing  the 
time  travelers  spend  checking  in  manually.  It 
also  acts  as  a  dormant  emergency-response 
platform,  waiting  for  the  next  natural  disaster, 
security  incident  or  pandemic. 


MetLife 

PROJECT:  Minimum  IT  Control  (MITC)  Assess¬ 
ment  and  Application  Vulnerability  Testing 
(AVT)  program 

W  s  |  LEADERS:  Audrey  Mydosh, 
f  director  of  IT  risk  and  security; 

k  kJ/  Jesus  “Laz“  Montano,  CISO; 

Jim  O’Donnell,  senior  vice 
president  of  enterprise  infra¬ 
structure  and  architecture 
DESCRIPTION:  MITC  provides  an  evidence-based 
review  of  58  critical  IT  security  controls  and  is 
delivered  through  a  Web-based  tool  accessible 
globally  by  employees,  vendors  and  consul¬ 
tants.  AVT  comprises  Web  vulnerability  test¬ 
ing,  application  privacy  scanning  and  applica¬ 
tion  ethical  hack  testing,  incorporating  various 
testing  methods  to  determine  potential  coding 
vulnerabilities  that  could  be  exploited  by  exter¬ 
nal  entities  and  internal  trusted  sources.  The 
high-level  MITC  and  the  granular  AVT  program 
together  allow  MetLife  to  quickly  globalize  its  IT 
security  program. 

BUSINESS  VALUE:  Control  gaps  were  docu¬ 
mented  and  quickly  remediated  within  global 
markets,  reducing  potential  exploits  and 
strengthening  the  organizations’  security  and 
compliance  landscape. 

The  MITRE  Corporation 

PROJECT:  Making  security  measurable 

LEADERS:  Gary  Gangon,  senior 
vice  president  and  CSO;  Chris 
Folk,  cybersecurity  and  com¬ 
munications  department 
head 

DESCRIPTION:  The  project  collected  standard¬ 
ization  and  structuring  initiatives  that  provide 
organizing  concepts,  formats  and  structures  to 
bring  consistency,  interoperability  and  effec¬ 
tiveness  to  the  cybersecurity  environment.  It 
provides  registries  of  baseline  security  data, 
establishes  standardized  languages  for  com¬ 
municating  cybersecurity  information,  defines 
proper  usage  of  cybersecurity  concepts  and 
supports  community  approaches  for  commonly 
accepted  cybersecurity  processes. 

BUSINESS  VALUE:  The  collected  standards  sup¬ 
port  marketplace  development  of  new  prod¬ 
ucts  so  that  no  firm  can  corner  the  market 
with  a  proprietary  solution.  Automated  cyber 
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Atlantic  Health  System:  Stabilizing  Risk  Assessment 


PROJECT:  The  Atlantic  Health 
System  Red  Cell  Program 
LEADER:  Alan  Robinson,  direc¬ 
tor  of  protection  and  security 
services  and  emergency 
management 
DESCRIPTION:  The  project 
developed  a  documented 
security  risk  assessment  and 
infiltration  testing  program 
to  self-inspect  a  hospital's 
security-sensitive  areas  such 
as  the  maternity  unit,  pedi¬ 
atrics,  radiological  storage 
and  the  pharmacy.  Trained, 
contracted  security  and  law 
enforcement  professionals 
conduct  quarterly  inspections 


designed  to  test  equip¬ 
ment  (such  as  locks  and  card 
access  systems)  and  see  how 
well  hospital  staff  respond 


to  undercover 
personnel  attempt¬ 
ing  to  gain  access 
to  the  staff’s  areas. 
The  survey  team 
submits  written 
reports  that  explain 
whether  a  depart¬ 
ment  or  area  was 
breached  and  iden¬ 
tify  security  equip¬ 
ment  in  need  of 
repair,  such  as 
a  broken  lock  or 
door.  Facility  security 
personnel  also  regularly 
sweep  the  building  and  are 
visible  to  patients  and  fami¬ 


lies,  especially  at  key  times 
such  as  the  end  of  visiting 
hours. 

BUSINESS  VALUE:  Through 
three  quarters  of  2012,  the 
infiltration-prevention  rate 
exceeded  95  percent.  In 
a  report  generated  from 
responses  to  the  annual 
employee  engagement  sur¬ 
vey,  86  percent  of  employ¬ 
ees  answered  favorably  to 
the  safety  and  security  item, 
“My  location  pays  attention 
to  health  and  safety.”  Safety 
is  now  ranked  as  one  of  the 
top  10  areas  of  satisfaction 
atAHS. 


defense  capabilities  reduce  the  need  for  a  large 
staff  with  specialized  skills,  lowering  labor  costs 
and  allowing  the  cyber  team  to  focus  on  the 
most  significant  problems. 

OfficeMax 

PROJECT:  The  Cube-A  fully  automated,  stand¬ 
alone,  intelligent  vulnerability  management 
system 

LEADERS:  Tarik  Rahmanovic, 
principal  security  architect; 
Jon  Bausch,  senior  manager  of 
threat  and  vulnerability  man¬ 
agement;  Pete  Naumovski, 
vice  president  of  information  security 
DESCRIPTION:  The  Cube  fully  automates  the 
vulnerability-management  process  to  ensure 
consistency,  reliability  and  scalability.  It  com¬ 
bines  disparate  processes  and  technologies 
to  manage  the  full  lifecycle  of  vulnerabilities, 
including  initiating  scans,  integrating  excep¬ 
tions,  assigning  and  tracking  ownership,  track¬ 
ing  remediation  efforts,  validating  remediation 
activity,  escalating  issues  per  predefined  ser¬ 
vice-level  agreements  (SLAs),  and  measuring 
and  reporting  through  an  integrated  dashboard. 


BUSINESS  VALUE:  The  Cube  makes  it  possible  to 
establish  and  measure  effective  SLAs  for  reme¬ 
diating  security  vulnerabilities.  It  saves  more 
than  1,000  man-hours  per  year  compared  with 
traditional  programs. 


OhioHealth 


PROJECT:  Multifactor  application  risk-assess¬ 
ment  system 


LEADERS:  Gerald  Walters, 
director  of  information  secu¬ 
rity;  Mary  Jo  McElroy,  vice 
president  of  compliance,  asset 
and  finance 

DESCRIPTION:  The  system  assesses  application 
system  risk  to  produce  results  that  are  timely, 
simple  and  integrated  with  organizational 
culture.  The  new  process  simplifies  calcula¬ 
tions  and  data  collection,  and  promotes  bet¬ 
ter  understanding  of  risk.  It  produces  graphs  for 
analysis  and  planning.  In  the  future,  tools  will 
be  adapted  with  scripts  that  place  data  into 
the  documentation  system  or  executive  dash¬ 
boards  for  real-time  risk  calculation. 

BUSINESS  VALUE:  The  system  eliminates  dupli¬ 
cated  efforts  and  redundant  processes  and  fos¬ 


ters  cooperation  and  awareness  among  teams 
doing  business  continuity  and  disaster  recovery, 
application  owners  and  clinical  support  teams. 
It  uncovers  ways  to  improve  security  controls. 


Online  Computer 

Library  Center 

PROJECT:  OCL’s  Global  ISO/IEC  27001  infor¬ 


mation  security  management  system  (ISMS) 
implementation  and  certification 

LEADERS:  William  Lisse,  CISO; 
Gene  Oliver,  vice  president  of 
global  systems  and  informa¬ 
tion  technology 
DESCRIPTION:  The  company 
shifted  to  a  geographically  dispersed  and  highly 
interconnected  and  interoperable  enterprise  to 
orchestrate  a  single  coherent  global  ISMS.  Goals 
included  protecting  staff  and  patron  privacy, 
securing  connections  with  B2C/B2B  information 
systems,  ensuring  availability  of  business  and 
customer  information,  meeting  regulatory  and 
contractual  security  requirements,  and  protect¬ 
ing  brand,  reputation  and  strategic  information. 
BUSINESS  VALUE:  Based  on  the  Gartner  ITScore, 
the  company  improved  information  security 
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CSO's  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

|~7j  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

|7j  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

[7|  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

[7]  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

[7j  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

|~7j  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

[71  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

[Vj  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 
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Kennesaw  State  University:  Managing  Access 


PROJECT:  KSU  identity  and  access  initiative  implementation 
LEADERS:  Lectra  Lawhorne,  executive  director  of  Information 
Technology  Services  (ITS);  McCree  Lake,  associate  director  of 
ITS;  Stephen  Gay,  associate  director  of  ITS 
DESCRIPTION:  Kennesaw  State  University  has  a  student  popu 
lation  of  more  than  24,000  and  a  posi¬ 
tive  growth  rate  in  students,  employees, 
programs  and  services.  The  complexity  of 
the  environment  necessitated  an  access- 
management  system  that  would  allow  for 
technical  enforcement  and  management 
of  longstanding  business  processes.  The 
project  needed  to  integrate  workflows  to 
manage  account  creation  and  removal, 
integrate  multiple  data  sources  to  manage  a  single  iden¬ 
tity  across  the  enterprise,  and  enforce  password  standards 
and  requirements  while  synchronizing  passwords  for  users’ 


accounts.  The  ITS  team  deployed  the  infrastructure  and  con¬ 
figured  the  necessary  data  feeds  and  applications.  The  system 
has  automated  major  enterprise  systems  including  email 
services,  cloud  storage,  directory  groups,  directory  accounts 
and  faculty,  staff  and  student  website  publishing  services.  The  • 
implementation  has  received  critical  exec¬ 
utive  support  and  customer  engagement. 
BUSINESS  VALUE:  The  system  will  save 
KSU  around  $250,000  per  fiscal  year 
in  infrastructure  and  licensing  costs  for 
downstream  systems  that  are  now  auto¬ 
matically  managed.  It  increased  annual 
revenue  for  University  Development  and 
Alumni  Affairs  by  $50,000  by  nearly  tri¬ 
pling  the  number  of  active,  donating  alumni.  It  cut  costs  and 
security  risks  by  lowering  the  attack  surface  by  enforcing  pass¬ 
word  expirations  and  standards,  and  removing  old  accounts. 


capability  maturity  level  from  a  Level  2  Defined 
to  a  Level  4  with  continuous  improvement. 
It  reduced  the  number  and  severity  of  secu¬ 
rity  incidents  and  events  by  200  percent  and 
300  percent  respectively,  and  saved  200  labor 
hours  on  staff  coordination  of  customer  security 
questionnaires  and  inquiries. 


PayPal 

PROJECT:  PayPal  QuickPass 

LEADERS:  Michael  Barrett, 
CISO  and  vice  president  of 
information  risk  management; 
Dan  Schatt,  senior  director  of 
financial  innovation 
DESCRIPTION:  Consumers  deposit  or  with¬ 
draw  cash  to  and  from  their  PayPal  accounts 
securely  through  their  own  “in  the  wild”  devices, 
which  are  so  called  because  PayPal  must  rely 
on  another  party’s  device  security  efforts.  A 
proprietary  mapping  algorithm  creates  a 
numerical  PIN  based  on  the  first  four  char¬ 
acters  of  a  user's  PayPal.com  password.  The 
four  digits  are  translated  into  a  numerical  PIN 
that  is  more  secure  than  common  consumer- 
chosen  PINs  and  is  difficult  to  shoulder-surf  or 
hack. 


BUSINESS  VALUE:  Creating  PINs  from  passwords 
limits  the  number  of  credentials  users  have  to 
remember,  making  the  user  experience  simpler 
and  avoiding  the  most  common  PINs.  During  a 
usability  study,  the  majority  of  users  success¬ 
fully  authenticated  their  accounts  in  under  five 
seconds. 

Quintiles  Transnational 

PROJECT:  Secure  infrastructure  for  China 

LEADERS:  Darrel  Wang,  senior 
director  and  head  of  IT  for  Asia 
Pacific;  Estella  Mou,  IT  head 
for  China;  Jack  Baker,  execu¬ 
tive  director  of  IT  Security 
DESCRIPTION:  The  project  adapted  and  com¬ 
bined  bring-your-own  device,  wireless  security 
and  desktop  virtualization  solutions  developed 
for  the  global  Quintiles  business  with  cloud  ser¬ 
vices  to  establish  a  new  architectural  model 
with  an  extremely  low  operating  cost  that  can 
support  Chinese  languages,  is  compliant  with 
international  regulatory  standards  and  offers 
uncompromised  security. 

BUSINESS  VALUE:  The  project  delivered  IT 
systems  at  extremely  competitive  cost  in 
the  local  market  with  high  degree  of  security. 


high  regulatory  standards  and  fully  compliant 
software  licensing. 


Sharp  Electronics 

PROJECT:  Compliant  provisioning  and 
de-provisioning 


— WM  LEADERS:  John  Kavak,  CIO; 
Ilv53£  faH  Wyatt  MacManus,  associate 
*  .  -  director  of  information  security 
DESCRIPTION:  The  project 
automated  a  process  for  the 
creation  and  separation  of  users  in  multiple  ERP 
and  enterprise  systems  for  permanent  employ¬ 
ees,  contingent  employees  and  B2B  partners.  It 
enables  users  to  self  provision  or  de-provision 
transactional  system  security  access  using 
automated  workflow  approval  routing  that 
includes  segregation  of  duty  simulation  and 
remediation  and  mitigation  subprocedures. 
BUSINESS  VALUE:  The  project  eliminated  paper 
forms  retained  for  audit  to  reduce  audit  hours 
and  security  administration.  It  reduced  security 
administration  from  three  to  one  and  cut  on- 
boarding  time  from  three  to  five  business  days 
down  to  one  to  two  business  days.  It  eliminated 
support  desk  assistance  for  password  resets, 
significantly  reducing  support  desk  requests. 
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CSO  Forum  on  Linked  0 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  ‘‘CSO  Forum” 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 
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Stanley  Black  &  Decker 

PROJECT:  Web  2.0  security-content  filtering 

LEADERS:  Marty  Whitesel,  IT 


BLACK? 

DECKEI 


security  analyst;  Dana  Wells, 
CISO 

DESCRIPTION:  The  project 
implemented  a  cloud-based 
deep-packet  inspection  technology  to  add  a 
layer  of  protection  to  the  existing  IT  security 
model.  It  deployed  an  agent  to  all  PCs  glob¬ 
ally  using  a  desktop-management  solution.  It 
reviewed  and  updated  policies  for  blocking  cat¬ 
egories  of  websites,  such  as  pornography  and 
gambling  sites.  It  developed  reports  for  HR- 
related  inquiries  about  employee  activity. 
BUSINESS  VALUE:  The  project  reduced  the  num¬ 
ber  of  virus  incidents  on  PCs  by  20  percent,  driv¬ 
ing  down  support  costs,  and  it  saved  more  than 
$200,000  by  decommissioning  old  servers  that 
ran  the  legacy  content-filtering  solution.  Web 
browsing  protection  is  provided  on  production 
laptops  even  when  they  are  not  connected  to 
internal  network. 


TD  Bank  Group 

PROJECT:  Credential  storage  and  retrieval  proj¬ 
ect  2012 

LEADERS:  Julia  Ford,  program 
manager;  Jimmy  Don,  assis¬ 
tant  vice  president  of  security 
engineering;  Margaret 
Shorten,  vice  president  of 

engineering 

DESCRIPTION:  The  project  structured  a  vaulted 
system  for  privileged  IDs  using  a  privileged  ID 


management  (PIM)  system,  which  grants  only 
the  access  necessary  and  automates  password 
management  where  possible. 

BUSINESS  VALUE:  The  project  elevated  security 
and  protection  for  the  bank  and  its  custom¬ 
ers.  The  number  of  credentials  vaulted  in  the 
PIM  tool  increased  by  more  than  100  percent 
over  the  number  vaulted  in  the  last  three  years. 
The  number  of  people  authorized  to  check  out 
credentials  increased  by  more  than  75  percent. 
The  number  of  safes  used  to  vault  credentials 
increased  by  more  than  35  percent. 

Texas  Health  Resources 

PROJECT:  Information  security  program 
improvement  initiative 

LEADERS:  Ronald  Mehring, 
director  of  information  secu¬ 
rity;  Edward  Marx,  CIO 
DESCRIPTION:  The  project  pro¬ 
vides  an  agile,  compliant  and 
cost-efficient  approach  to  information  secu¬ 
rity  that  is  aligned  with  current  and  emerging 
threats,  focuses  on  the  resiliency  of  business 
processes  and  supports  the  health  system’s  val¬ 
ues,  goals  and  objectives.  It  involved  implemen¬ 
tation  of  new  technical  security  architecture 
that  includes  mobile  devices,  complex  applica¬ 
tions  and  cloud-based  services. 

BUSINESS  VALUE:  The  project  increases  predict¬ 
ability  of  business  operations  by  lowering  infor¬ 
mation  security  risks  to  definable  and  accept¬ 
able  levels.  It  protects  against  civil  and  legal 
liability  as  a  result  of  information  inaccuracy  or 
absence  of  due  care. 


How  the  winners  were  chosen: 

IN  TOTAL,  WE  RECEIVED  MORE  THAN  100  NOMINATIONS,  WHICH 
were  then  whittled  down  to  40  by  CSO  staff  and  a  panel  of  six  outside  judges: 
Eric  Cowperthwaite,  Providence  Health  and  Services;  Andy  Ellis,  Akamai;  Jamil 
Farshchi,  Visa;  Jack  Jones,  CXOware  and  Risk  Management  Insight;  Kristin  Love- 
joy,  IBM;  Dick  Parry,  Novartis  Institutes  for  BioMedical  Research.  Each  nomi¬ 
nation  was  reviewed  independently  by  two  judges,  and  no  judges  evaluated 
applications  from  their  own  companies.  From  there,  the  editorial  staff  made  the 
final  honoree  selection  based  on  total  scores.  Chart  information  compiled  and 
written  by  project  manager  Sara  Shay. 


University  of  Pennsylvania 
Health  System 


PROJECT:  Penn  Medicine  identity  management 
and  single  sign-on 

LEADER(S):  Mike  Moran,  direc¬ 
tor  of  IT  security;  Robert 
Weidner,  associate  PMO  proj¬ 
ect  director;  Theresa  Hiltunen, 
entity  information  officer  for 
Penn  Presbyterian  Medical  Center 
DESCRIPTION:  The  system  uses  identity  man¬ 
agement,  role-based  access  control  and 
greater  user  accountability  to  strengthen  com¬ 
pliance  efforts  while  assisting  clinical  staff.  It 
automatically  queries  patient  records  as  staff 
switches  between  systems,  simplifying  the  pro¬ 
cess  for  accessing  patient  records  and  improv¬ 
ing  patient  safety. 

BUSINESS  VALUE:  Session  authentication  saves 
users  minutes  at  the  computer,  allowing  clini¬ 
cians  to  see  more  patients  and  spend  less  time 
logging  in  and  loading  applications.  Nurses 
using  in-room  computers  to  record  patient 
notes  during  rounds  save  up  to  a  minute  using 
the  contact  sensor. 


USAA 

PROJECT:  My  Security  Advisor 

LEADERS:  Wil  Bennett,  execu¬ 
tive  director  of  cyber  threat 
operations;  Angela  Wong, 
executive  director  of  product 
management;  Richard  Davey, 
senior  security  analyst 

DESCRIPTION:  The  project  enables  USAA  mem¬ 
bers  to  assess  their  level  of  online  security  risk  at 
usaa.com  and  provides  personalized,  one-on- 
one  advice  on  reducing  their  risk.  Once  a  member 
completes  the  interactive  assessment,  a  scale  of 
red,  yellow  and  green  displays  the  member’s  risk 
level  with  customized  recommendations.  The 
tool  allows  9.4  million  members  to  use  USAA's 
suite  of  security  products,  services  and  advice  to 
protect  their  identity  and  financial  transactions. 
BUSINESS  VALUE:  The  tool  simplifies  the  user 
experience  and  maintains  member-focused 
delivery  of  security  information.  Adoption  of 
enhanced  authentication  increased  by  11  per¬ 
cent  after  the  tool’s  launch.  It  will  ultimately 
reduce  the  direct  and  indirect  costs  to  the  mem¬ 
bers  due  to  account  takeover  and  cyber  crime. 
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Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 

You’ll  gain  exclusive  access  to  premium 
content  and  resources,  including: 


■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 
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starts  here. 


For  more  performance  information,  visit  cisco.com/go/ucsbenchmarks. 
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